{ "type": "Domain", "indicator": "riverview-pools.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/riverview-pools.com", "alexa": "http://www.alexa.com/siteinfo/riverview-pools.com", "indicator": "riverview-pools.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4042336599, "indicator": "riverview-pools.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "67ef854620c41c3fd65378db", "name": "Proactive ClickFix Threat Hunting with Hunt.io", "description": "ClickFix is a browser-based delivery technique that uses deceptive prompts and clipboard hijacking to trick users into executing malicious commands. Cybercriminals and advanced actors employ this method to deploy malware, primarily information stealers. The technique involves luring users with fake system alerts or CAPTCHA challenges, then silently staging payloads for execution. The article describes how Hunt.io's research team used custom queries to identify web infrastructure associated with ClickFix delivery, uncovering multiple live domains serving malicious content. Examples include a Bitcoin-themed domain posing as Cloudflare WAF to deliver Lumma and CryptBot malware, a page targeting Zoho Office Suite credentials, and a compromised website abusing PowerShell. The report emphasizes the growing traction of ClickFix as a low-friction method for malware delivery and credential harvesting.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:07:50.749000", "tags": [ "powershell", "threat hunting", "lumma stealer", "malware delivery", "clipboard hijacking", "information stealers", "credential theft", "clickfix", "captcha", "browser-based attacks", "cryptbot" ], "references": [ "https://hunt.io/blog/clickfix-pages-proactive-threat-hunting" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "CryptBot", "display_name": "CryptBot", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 8, "URL": 4, "domain": 15 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 386495, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d47764f2270074641b9efa", "name": "clone urlhaus 23may CREATED 11 MONTHS AGO MODIFIED 2 MONTHS AGO by skocherhan Public TLP: Green REFERENCE: https://urlhaus.abuse.ch/downloads/json_online/", "description": "", "modified": "2026-04-07T03:17:56.739000", "created": "2026-04-07T03:17:56.739000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "682fec831be07e4fdf69fe47", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 16, "FileHash-SHA256": 1, "CVE": 11, "URL": 12396, "domain": 433, "hostname": 572 }, "indicator_count": 13458, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "54 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682fec831be07e4fdf69fe47", "name": "urlhaus 23may", "description": "", "modified": "2026-02-09T00:10:22.199000", "created": "2025-05-23T03:33:23.189000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 16, "FileHash-SHA256": 1, "CVE": 11, "URL": 12396, "domain": 433, "hostname": 572 }, "indicator_count": 13458, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ebeb317457163ab8fa42", "name": "Emmenhtal loader", "description": "Campaigns that used Emmenhtal to deliver various payloads", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-30T09:54:51.943000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688b0dde98e8d32361238f0f", "name": "Emmenhtal Loader Campaign deliver various payloads [IMEBEEIMFINE]", "description": "", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-31T06:31:58.326000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6889ebeb317457163ab8fa42", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c4f2ee05bed18e69b0faab", "name": "URLHaus data - 02-03-2025", "description": "", "modified": "2025-04-02T00:04:46.454000", "created": "2025-03-03T00:08:14.500000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "hajime", "ClearFake", "hta", "lnk", "xml-opendir", "Quakbot", "mirai", "Havoc", "opendir", "AsyncRAT", "ClickFix", "exe", "FakeCaptcha", "rustystealer", "dllHijack", "HijackLoader", "IDATLoader", "LummaStealer", "zip", "html", "ps1", "pw-poiuytrewq1234", "rar", "trycloudflare", "censys", "backdoor", "sshdkit", "MetaStealer", "WsgiDAV", "redir-302", "stealer", "botnetdomain", "fbi.gov", "moobot", "gafgyt", "sh", "CoinMiner", "scr", "x86-32", "Lumma", "tag:captcha", "Amadey", "c2", "dll", "rev-base64-loader", "base64-loader", "SystemBC", "ascii", "Encoded", "Vidar", "CobaltStrike", "meterpreter" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 79, "domain": 46 }, "indicator_count": 1125, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "424 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/", "https://urlhaus.abuse.ch/browse/", "https://hunt.io/blog/clickfix-pages-proactive-threat-hunting", "Emmenhtal.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Lumma stealer", "Cryptbot" ], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "67ef854620c41c3fd65378db", "name": "Proactive ClickFix Threat Hunting with Hunt.io", "description": "ClickFix is a browser-based delivery technique that uses deceptive prompts and clipboard hijacking to trick users into executing malicious commands. Cybercriminals and advanced actors employ this method to deploy malware, primarily information stealers. The technique involves luring users with fake system alerts or CAPTCHA challenges, then silently staging payloads for execution. The article describes how Hunt.io's research team used custom queries to identify web infrastructure associated with ClickFix delivery, uncovering multiple live domains serving malicious content. Examples include a Bitcoin-themed domain posing as Cloudflare WAF to deliver Lumma and CryptBot malware, a page targeting Zoho Office Suite credentials, and a compromised website abusing PowerShell. The report emphasizes the growing traction of ClickFix as a low-friction method for malware delivery and credential harvesting.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:07:50.749000", "tags": [ "powershell", "threat hunting", "lumma stealer", "malware delivery", "clipboard hijacking", "information stealers", "credential theft", "clickfix", "captcha", "browser-based attacks", "cryptbot" ], "references": [ "https://hunt.io/blog/clickfix-pages-proactive-threat-hunting" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "CryptBot", "display_name": "CryptBot", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 8, "URL": 4, "domain": 15 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 386495, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d47764f2270074641b9efa", "name": "clone urlhaus 23may CREATED 11 MONTHS AGO MODIFIED 2 MONTHS AGO by skocherhan Public TLP: Green REFERENCE: https://urlhaus.abuse.ch/downloads/json_online/", "description": "", "modified": "2026-04-07T03:17:56.739000", "created": "2026-04-07T03:17:56.739000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "682fec831be07e4fdf69fe47", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 16, "FileHash-SHA256": 1, "CVE": 11, "URL": 12396, "domain": 433, "hostname": 572 }, "indicator_count": 13458, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "54 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682fec831be07e4fdf69fe47", "name": "urlhaus 23may", "description": "", "modified": "2026-02-09T00:10:22.199000", "created": "2025-05-23T03:33:23.189000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 16, "FileHash-SHA256": 1, "CVE": 11, "URL": 12396, "domain": 433, "hostname": 572 }, "indicator_count": 13458, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ebeb317457163ab8fa42", "name": "Emmenhtal loader", "description": "Campaigns that used Emmenhtal to deliver various payloads", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-30T09:54:51.943000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688b0dde98e8d32361238f0f", "name": "Emmenhtal Loader Campaign deliver various payloads [IMEBEEIMFINE]", "description": "", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-31T06:31:58.326000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6889ebeb317457163ab8fa42", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c4f2ee05bed18e69b0faab", "name": "URLHaus data - 02-03-2025", "description": "", "modified": "2025-04-02T00:04:46.454000", "created": "2025-03-03T00:08:14.500000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "hajime", "ClearFake", "hta", "lnk", "xml-opendir", "Quakbot", "mirai", "Havoc", "opendir", "AsyncRAT", "ClickFix", "exe", "FakeCaptcha", "rustystealer", "dllHijack", "HijackLoader", "IDATLoader", "LummaStealer", "zip", "html", "ps1", "pw-poiuytrewq1234", "rar", "trycloudflare", "censys", "backdoor", "sshdkit", "MetaStealer", "WsgiDAV", "redir-302", "stealer", "botnetdomain", "fbi.gov", "moobot", "gafgyt", "sh", "CoinMiner", "scr", "x86-32", "Lumma", "tag:captcha", "Amadey", "c2", "dll", "rev-base64-loader", "base64-loader", "SystemBC", "ascii", "Encoded", "Vidar", "CobaltStrike", "meterpreter" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 79, "domain": 46 }, "indicator_count": 1125, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "424 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "riverview-pools.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "riverview-pools.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://riverview-pools.com/verify/index.html", "status": "offline", "threat": "malware_download", "date_added": "2025-03-02", "tags": [ "censys", "ClickFix", "FakeCaptcha", "html" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780214784.8177 }