{ "type": "Domain", "indicator": "root-head.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/root-head.com", "alexa": "http://www.alexa.com/siteinfo/root-head.com", "indicator": "root-head.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4020939798, "indicator": "root-head.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "68346f8776db76c6c5fe7022", "name": "Genesis Market Resurfaces: Malicious Browser Extension Targets User Data", "description": "Cybereason's Security Services Team has identified a resurgence of the Genesis Market threat, previously dismantled by law enforcement in early 2023. This new campaign involves the Lummastealer malware delivering a malicious browser extension that collects sensitive user data across multiple browsers, including Chrome, Edge, Brave, and Opera. The extension exfiltrates information such as clipboard content, cookies, browsing history, email data, and cryptocurrency wallet information to a command-and-control server. Genesis Market, an illicit platform, facilitates the sale of these stolen credentials, enabling cybercriminals to impersonate victims and bypass security measures.", "modified": "2025-05-26T13:41:27.454000", "created": "2025-05-26T13:41:27.454000", "tags": [ "c2 domain", "call", "market", "genesis market", "darkgate loader", "extension", "threat alert", "javascript", "chrome", "opera", "cobalt strike", "meterpreter", "first", "june", "monster", "model", "comment", "evolution", "never", "lumma infostealer" ], "references": [ "https://www.cybereason.com/blog/threat-alert-genesis-market" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Infostealer", "display_name": "Lumma Infostealer", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Financial", "Critical Infrastructure", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "BitcoinAddress": 1, "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 7, "FileHash-SHA256": 4, "domain": 20 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "370 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67768389d9fecc480a55978b", "name": "Usage of the LegionLoader malware to Steal Credentials", "description": "LegionLoader malware evolves, posing significant cybersecurity threats.", "modified": "2025-01-02T12:16:09.844000", "created": "2025-01-02T12:16:09.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 483, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "URL": 43, "domain": 24 }, "indicator_count": 582, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "514 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cybereason.com/blog/threat-alert-genesis-market" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cobalt strike", "Lumma infostealer" ], "industries": [ "Critical infrastructure", "Government", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "68346f8776db76c6c5fe7022", "name": "Genesis Market Resurfaces: Malicious Browser Extension Targets User Data", "description": "Cybereason's Security Services Team has identified a resurgence of the Genesis Market threat, previously dismantled by law enforcement in early 2023. This new campaign involves the Lummastealer malware delivering a malicious browser extension that collects sensitive user data across multiple browsers, including Chrome, Edge, Brave, and Opera. The extension exfiltrates information such as clipboard content, cookies, browsing history, email data, and cryptocurrency wallet information to a command-and-control server. Genesis Market, an illicit platform, facilitates the sale of these stolen credentials, enabling cybercriminals to impersonate victims and bypass security measures.", "modified": "2025-05-26T13:41:27.454000", "created": "2025-05-26T13:41:27.454000", "tags": [ "c2 domain", "call", "market", "genesis market", "darkgate loader", "extension", "threat alert", "javascript", "chrome", "opera", "cobalt strike", "meterpreter", "first", "june", "monster", "model", "comment", "evolution", "never", "lumma infostealer" ], "references": [ "https://www.cybereason.com/blog/threat-alert-genesis-market" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Infostealer", "display_name": "Lumma Infostealer", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Financial", "Critical Infrastructure", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "BitcoinAddress": 1, "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 7, "FileHash-SHA256": 4, "domain": 20 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "370 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67768389d9fecc480a55978b", "name": "Usage of the LegionLoader malware to Steal Credentials", "description": "LegionLoader malware evolves, posing significant cybersecurity threats.", "modified": "2025-01-02T12:16:09.844000", "created": "2025-01-02T12:16:09.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 483, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "URL": 43, "domain": 24 }, "indicator_count": 582, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "514 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "root-head.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "root-head.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://root-head.com/2708.bs64", "status": "offline", "threat": "malware_download", "date_added": "2024-09-20", "tags": [ "ascii", "base64", "Encoded", "LegionLoader" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780256512.2631283 }