{ "type": "Domain", "indicator": "sdkk22.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/sdkk22.com", "alexa": "http://www.alexa.com/siteinfo/sdkk22.com", "indicator": "sdkk22.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3450636793, "indicator": "sdkk22.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c58c8bc2caac50175ad32e", "name": "HERALD SPIDER Infrastructure", "description": "This Pulse documents a large set of domains and IP addresses associated with malware delivery activity leveraging Cloudflare\u2011fronted infrastructure.\n\nObserved indicators include Cloudflare\u2011proxied domains across multiple TLDs (notably .top, .click, .life, and .ru\u2011related subdomains) used for hosting or delivering executable payloads, including first\u2011stage loader binaries. Network telemetry shows successful HTTP(S) responses from these domains, consistent with initial access or malware distribution behavior.\n\nThe infrastructure demonstrates common characteristics of commodity eCrime operations, including high domain churn, short\u2011lived subdomains, and reuse of shared Cloudflare edge IPs to obscure true origin servers.", "modified": "2026-04-25T19:28:40.684000", "created": "2026-03-26T19:44:08.916000", "tags": [ "malware-delivery", "initial-access", "unattributed", "loader", "ecrime", "infrastructure", "cloudflare-abuse" ], "references": [], "public": 1, "adversary": "Herald Spider", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "unkwnown", "display_name": "unkwnown", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [ "All" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Rokalien77", "id": "207164", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 78, "hostname": 24 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628492d8e48a23476886f56d", "name": "NewDom-3-20220518", "description": "ICANN-Dom", "modified": "2022-07-02T00:05:39.094000", "created": "2022-05-18T06:31:52.495000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 201, "modified_text": "1430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "IOCs.2026.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Herald Spider", "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key" ], "malware_families": [ "Unkwnown" ], "industries": [ "All" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c58c8bc2caac50175ad32e", "name": "HERALD SPIDER Infrastructure", "description": "This Pulse documents a large set of domains and IP addresses associated with malware delivery activity leveraging Cloudflare\u2011fronted infrastructure.\n\nObserved indicators include Cloudflare\u2011proxied domains across multiple TLDs (notably .top, .click, .life, and .ru\u2011related subdomains) used for hosting or delivering executable payloads, including first\u2011stage loader binaries. Network telemetry shows successful HTTP(S) responses from these domains, consistent with initial access or malware distribution behavior.\n\nThe infrastructure demonstrates common characteristics of commodity eCrime operations, including high domain churn, short\u2011lived subdomains, and reuse of shared Cloudflare edge IPs to obscure true origin servers.", "modified": "2026-04-25T19:28:40.684000", "created": "2026-03-26T19:44:08.916000", "tags": [ "malware-delivery", "initial-access", "unattributed", "loader", "ecrime", "infrastructure", "cloudflare-abuse" ], "references": [], "public": 1, "adversary": "Herald Spider", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "unkwnown", "display_name": "unkwnown", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [ "All" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Rokalien77", "id": "207164", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 78, "hostname": 24 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628492d8e48a23476886f56d", "name": "NewDom-3-20220518", "description": "ICANN-Dom", "modified": "2022-07-02T00:05:39.094000", "created": "2022-05-18T06:31:52.495000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 201, "modified_text": "1430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "sdkk22.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "sdkk22.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780351085.9335902 }