{ "type": "Domain", "indicator": "rocondance.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/rocondance.com", "alexa": "http://www.alexa.com/siteinfo/rocondance.com", "indicator": "rocondance.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4041538502, "indicator": "rocondance.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "67c1c885ff2b160bf437f5ee", "name": "Russian campaign targeting Romanian WhatsApp numbers", "description": "A campaign originating from Russia has been identified, targeting Romanian WhatsApp users. The operation involves sending messages to victims, encouraging them to vote in a fake contest. When users click on the provided link, they are prompted to enter their WhatsApp number and an 8-character code, which grants the attackers access to the victim's account. The campaign uses multiple domains with Romanian-themed names, and evidence suggests previous targeting of English and Turkish-speaking users. The attackers exploit compromised accounts to spread the malicious messages further, potentially leading to account loss due to spamming. Users are advised against entering codes from suspicious websites to protect their WhatsApp accounts.", "modified": "2025-03-03T15:30:35.288000", "created": "2025-02-28T14:30:29.347000", "tags": [ "romania", "social engineering", "account takeover", "russia", "phishing", "whatsapp" ], "references": [ "https://cybergeeks.tech/russian-campaign-targeting-romanian-whatsapp-numbers/" ], "public": 1, "adversary": "", "targeted_countries": [ "Romania" ], "malware_families": [], "attack_ids": [ { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 27 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386543, "modified_text": "454 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b1cecfc725a97072864376", "name": "Phishing", "description": "", "modified": "2026-03-11T20:21:35.598000", "created": "2026-03-11T20:21:35.598000", "tags": [ "phishing" ], "references": [ "https://x.com/tobersotski/status/2031656120159191232" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 568, "domain": 568 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "80 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/tobersotski/status/2031656120159191232", "https://cybergeeks.tech/russian-campaign-targeting-romanian-whatsapp-numbers/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "67c1c885ff2b160bf437f5ee", "name": "Russian campaign targeting Romanian WhatsApp numbers", "description": "A campaign originating from Russia has been identified, targeting Romanian WhatsApp users. The operation involves sending messages to victims, encouraging them to vote in a fake contest. When users click on the provided link, they are prompted to enter their WhatsApp number and an 8-character code, which grants the attackers access to the victim's account. The campaign uses multiple domains with Romanian-themed names, and evidence suggests previous targeting of English and Turkish-speaking users. The attackers exploit compromised accounts to spread the malicious messages further, potentially leading to account loss due to spamming. Users are advised against entering codes from suspicious websites to protect their WhatsApp accounts.", "modified": "2025-03-03T15:30:35.288000", "created": "2025-02-28T14:30:29.347000", "tags": [ "romania", "social engineering", "account takeover", "russia", "phishing", "whatsapp" ], "references": [ "https://cybergeeks.tech/russian-campaign-targeting-romanian-whatsapp-numbers/" ], "public": 1, "adversary": "", "targeted_countries": [ "Romania" ], "malware_families": [], "attack_ids": [ { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 27 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386543, "modified_text": "454 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b1cecfc725a97072864376", "name": "Phishing", "description": "", "modified": "2026-03-11T20:21:35.598000", "created": "2026-03-11T20:21:35.598000", "tags": [ "phishing" ], "references": [ "https://x.com/tobersotski/status/2031656120159191232" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 568, "domain": 568 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "80 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "rocondance.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "rocondance.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780242273.4061446 }