{ "type": "Domain", "indicator": "rt-guard.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/rt-guard.com", "alexa": "http://www.alexa.com/siteinfo/rt-guard.com", "indicator": "rt-guard.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4079307868, "indicator": "rt-guard.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "698c507b6fa354503c07514d", "name": "EbeeFeb2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:48:43.368000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5", "ipv6240e", "cve20261281 cve", "yara" ], "references": [ "IOCs.3.csv" ], "public": 1, "adversary": "DKnife, Supply chain attack targeting dYdX, RCtea Botnet, ClawHavoc, CrashFix, Prometei", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 122, "FileHash-MD5": 181, "FileHash-SHA1": 169, "FileHash-SHA256": 211, "CVE": 9, "SSLCertFingerprint": 2, "domain": 40, "email": 5, "hostname": 45 }, "indicator_count": 784, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6989f0352472965e54698761", "name": "Beware of Malicious Steam Cleanup Tool Attack Windows Machines to Deploy Backdoor Malware", "description": "A sophisticated backdoor malware campaign has emerged targeting Windows users through a weaponized version of SteamCleaner, according to ASEC security researchers and a team of researchers from the University of California, Los Angeles.", "modified": "2026-02-09T14:33:25.370000", "created": "2026-02-09T14:33:25.370000", "tags": [ "uuid", "github", "source", "asec", "powershell", "windows", "steamcleaner", "steam gaming", "september", "asec security" ], "references": [ "https://cybersecuritynews.com/malicious-steam-cleanup-tool-attack-windows-machines/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "landshark11", "id": "75138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "114 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69154c65dd92010f5dc94861", "name": "IOC - Distribution of Backdoor Malware with Legitimate Signature, Disguised as Steam Cleanup Tool", "description": "Multiple cases have been reported where malware disguised as the \u201cSteamCleaner\u201d tool for cleaning the popular game platform Steam client is being distributed. When a system is infected with this malware, a malicious Node.js script resides on the user\u2019s PC and communicates with the C2 server periodically, allowing threat actors to execute commands.\nSteamCleaner is an open-source tool that cleans up junk files in the Steam client. It has not been updated since September 2018.", "modified": "2025-11-13T03:11:33.462000", "created": "2025-11-13T03:11:33.462000", "tags": [], "references": [ "https://asec.ahnlab.com/en/90969/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "domain": 5 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "202 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69150258762bfa0fdab9ec05", "name": "Backdoor malware with a legitimate signature is being distributed disguised as a Steam cleanup tool.", "description": "A new distribution of backdoor malware has emerged, masquerading as a legitimate application known as \"SteamCleaner,\" which is marketed as a cleanup tool for the Steam gaming platform. This malware leverages a valid digital signature to enhance its credibility and avoid detection, allowing it to infiltrate user systems more effectively.\n\nOnce installed, the malicious software introduces a Node.js script that operates on the compromised machine. This script establishes periodic communication with a command and control (C2) server, enabling the threat actors to execute various commands remotely. The backdoor functionality of this malware poses significant risks, as it allows for unauthorized access and control over the user's system, potentially leading to further exploitation or data theft.", "modified": "2025-11-12T21:55:36.730000", "created": "2025-11-12T21:55:36.730000", "tags": [ "proxyware", "steamcleaner", "powershell", "asec", "github", "json", "agentversion", "uuid", "4tressx", "steam", "atip", "url https" ], "references": [ "https://asec.ahnlab.com/ko/90915/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-MD5": 7, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "202 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.3.csv", "https://asec.ahnlab.com/en/90969/", "https://cybersecuritynews.com/malicious-steam-cleanup-tool-attack-windows-machines/", "Nov.Week2.csv", "https://asec.ahnlab.com/ko/90915/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "DKnife, Supply chain attack targeting dYdX, RCtea Botnet, ClawHavoc, CrashFix, Prometei", "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "698c507b6fa354503c07514d", "name": "EbeeFeb2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:48:43.368000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5", "ipv6240e", "cve20261281 cve", "yara" ], "references": [ "IOCs.3.csv" ], "public": 1, "adversary": "DKnife, Supply chain attack targeting dYdX, RCtea Botnet, ClawHavoc, CrashFix, Prometei", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 122, "FileHash-MD5": 181, "FileHash-SHA1": 169, "FileHash-SHA256": 211, "CVE": 9, "SSLCertFingerprint": 2, "domain": 40, "email": 5, "hostname": 45 }, "indicator_count": 784, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6989f0352472965e54698761", "name": "Beware of Malicious Steam Cleanup Tool Attack Windows Machines to Deploy Backdoor Malware", "description": "A sophisticated backdoor malware campaign has emerged targeting Windows users through a weaponized version of SteamCleaner, according to ASEC security researchers and a team of researchers from the University of California, Los Angeles.", "modified": "2026-02-09T14:33:25.370000", "created": "2026-02-09T14:33:25.370000", "tags": [ "uuid", "github", "source", "asec", "powershell", "windows", "steamcleaner", "steam gaming", "september", "asec security" ], "references": [ "https://cybersecuritynews.com/malicious-steam-cleanup-tool-attack-windows-machines/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "landshark11", "id": "75138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "114 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69154c65dd92010f5dc94861", "name": "IOC - Distribution of Backdoor Malware with Legitimate Signature, Disguised as Steam Cleanup Tool", "description": "Multiple cases have been reported where malware disguised as the \u201cSteamCleaner\u201d tool for cleaning the popular game platform Steam client is being distributed. When a system is infected with this malware, a malicious Node.js script resides on the user\u2019s PC and communicates with the C2 server periodically, allowing threat actors to execute commands.\nSteamCleaner is an open-source tool that cleans up junk files in the Steam client. It has not been updated since September 2018.", "modified": "2025-11-13T03:11:33.462000", "created": "2025-11-13T03:11:33.462000", "tags": [], "references": [ "https://asec.ahnlab.com/en/90969/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "domain": 5 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "202 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69150258762bfa0fdab9ec05", "name": "Backdoor malware with a legitimate signature is being distributed disguised as a Steam cleanup tool.", "description": "A new distribution of backdoor malware has emerged, masquerading as a legitimate application known as \"SteamCleaner,\" which is marketed as a cleanup tool for the Steam gaming platform. This malware leverages a valid digital signature to enhance its credibility and avoid detection, allowing it to infiltrate user systems more effectively.\n\nOnce installed, the malicious software introduces a Node.js script that operates on the compromised machine. This script establishes periodic communication with a command and control (C2) server, enabling the threat actors to execute various commands remotely. The backdoor functionality of this malware poses significant risks, as it allows for unauthorized access and control over the user's system, potentially leading to further exploitation or data theft.", "modified": "2025-11-12T21:55:36.730000", "created": "2025-11-12T21:55:36.730000", "tags": [ "proxyware", "steamcleaner", "powershell", "asec", "github", "json", "agentversion", "uuid", "4tressx", "steam", "atip", "url https" ], "references": [ "https://asec.ahnlab.com/ko/90915/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-MD5": 7, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "202 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "rt-guard.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "rt-guard.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780504235.1216173 }