{ "type": "Domain", "indicator": "secondshop.store", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/secondshop.store", "alexa": "http://www.alexa.com/siteinfo/secondshop.store", "indicator": "secondshop.store", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2636089836, "indicator": "secondshop.store", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6943cc1225854b7356ec39d2", "name": "Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns", "description": "North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to conduct widespread hacking operations for intelligence gathering, financial gain, and access. The investigation uncovered previously unconnected operational assets, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure. Key findings include a new Linux variant of the Badcall backdoor, extensive credential harvesting toolkits in open directories, and widespread deployment of Fast Reverse Proxy (FRP) instances. The analysis highlights consistent operational patterns across DPRK campaigns, such as reusing infrastructure, deploying identical FRP configurations, and leveraging shared certificates, providing defenders with actionable intelligence to proactively track DPRK activity.", "modified": "2026-01-17T09:01:20.119000", "created": "2025-12-18T09:40:34.326000", "tags": [ "dprk", "mailpassview", "blindingcan", "vps", "badcall", "quasar rat" ], "references": [ "https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered" ], "public": 1, "adversary": "Lazarus Group, Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "BADCALL - S0245", "display_name": "BADCALL - S0245", "target": null }, { "id": "HttpTroy", "display_name": "HttpTroy", "target": null }, { "id": "BLINDINGCAN - S0520", "display_name": "BLINDINGCAN - S0520", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "MailPassView", "display_name": "MailPassView", "target": null }, { "id": "WebBrowserPassView", "display_name": "WebBrowserPassView", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386597, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69003b85c217870cc5794cc6", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "BlueNoroff, a financially motivated threat actor, has been conducting two sophisticated campaigns dubbed GhostCall and GhostHire. GhostCall targets macOS devices of tech executives and venture capitalists through fake Zoom-like meetings, while GhostHire targets Web3 developers through fake recruitment processes. Both campaigns utilize various malware chains, including ZoomClutch, DownTroy, CosmicDoor, RooTroy, and SilentSiphon. The attacks involve social engineering, AI-enhanced images, and multi-stage malware deployment across Windows, macOS, and Linux systems. BlueNoroff has expanded its focus beyond cryptocurrency theft to comprehensive data acquisition, enabling supply chain attacks and leveraging established trust relationships for broader impact.", "modified": "2025-10-28T09:30:13.914000", "created": "2025-10-28T03:41:57.869000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 386594, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6948bbc02cfac76276a88a2a", "name": "sfeffdfdddf", "description": "", "modified": "2026-01-21T03:08:45.079000", "created": "2025-12-22T03:32:13.853000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 4, "domain": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6947ad3d824fe76885da743b", "name": "Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns", "description": "Recent investigations into North Korean hacker operations have revealed the ongoing activities of groups such as Lazarus and Kimsuky. These state-sponsored cyber actors exploit sophisticated techniques for intelligence gathering, financial gain, and broader operational purposes. Their campaigns exhibit distinctive patterns, employing open directory structures as staging nodes, consistent use of credential harvesting tools, and repeating malicious infrastructure across various global campaigns.\n\nOne of the critical findings relates to the Badcall backdoor, which is linked to Lazarus operations. The Linux variant of Badcall played a notable role in the 2023 3CX supply-chain attack, indicating the malware's adaptability in shift and post-exploitation scenarios. Lazarus operations have also leveraged open directories containing a trove of credential-theft kits disguised as legitimate tools.", "modified": "2026-01-20T08:04:26.478000", "created": "2025-12-21T08:18:05.804000", "tags": [ "lazarus", "dprk", "lazarus group", "or ip", "kimsuky", "frp host", "ioc hunter", "hunt", "new lazarus", "variant", "quasar rat", "bluenoroff", "mailpassview", "stealc", "cluster", "defender", "blindingcan", "format", "passwordfox", "netpass", "dialupass", "august", "python", "hunter", "malware", "quasar", "poolrat", "inside", "linux", "badcall", "hunt.io" ], "references": [ "https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 12, "domain": 2 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694651bb66f152fd6154aa24", "name": "Hunting DPRK threats - New Global Lazarus & Kimsuky campaigns", "description": "Recent investigations into North Korean cyber threat actors, specifically the Lazarus and Kimsuky groups, reveal a series of sophisticated campaigns exploiting both operational patterns and advanced tools. These state-sponsored attackers are highly active and engage in a wide range of malicious activities, including espionage and financial theft, utilizing a shared toolkit comprising credential harvesting tools and malware.\n\nThe analysis disclosed notable operational methodologies of these groups. They routinely employ open directories as staging areas for their operations and exhibit consistent behaviors like deploying credential theft kits and using Fast Reverse Proxy (FRP) tunnels. These FRP setups operate on identical ports across various Virtual Private Servers (VPS), showcasing a shared infrastructure that simplifies tracking their activities despite the variations in malware and attack lures.", "modified": "2026-01-19T07:05:35.562000", "created": "2025-12-20T07:35:23.158000", "tags": [ "lazarus", "dprk", "lazarus group", "buttonfig", "frp host", "kimsuky", "ioc hunter", "badcall", "quasar rat", "variant", "bluenoroff", "mailpassview", "blindingcan", "main", "passwordfox", "netpass", "dialupass", "august", "python", "malware", "quasar", "poolrat", "hunt.io", "linux" ], "references": [ "https://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 12, "domain": 2 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b7787935986377b6067cf", "name": "Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns", "description": "", "modified": "2026-01-17T09:01:20.119000", "created": "2025-12-24T05:17:59.940000", "tags": [ "dprk", "mailpassview", "blindingcan", "vps", "badcall", "quasar rat" ], "references": [ "https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered" ], "public": 1, "adversary": "Lazarus Group, Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "BADCALL - S0245", "display_name": "BADCALL - S0245", "target": null }, { "id": "HttpTroy", "display_name": "HttpTroy", "target": null }, { "id": "BLINDINGCAN - S0520", "display_name": "BLINDINGCAN - S0520", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "MailPassView", "display_name": "MailPassView", "target": null }, { "id": "WebBrowserPassView", "display_name": "WebBrowserPassView", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "6943cc1225854b7356ec39d2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6966340114e5dbd3decca476", "name": "TI Advisory No-ESAF-SOC-TI-2026-8", "description": "A look back at some of the most eye-catching snippets of this year's technology news:-a-year-old, in fact, has been described as \"epidemic\" by some.", "modified": "2026-01-13T12:01:05.055000", "created": "2026-01-13T12:01:05.055000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "domain": 526, "hostname": 682 }, "indicator_count": 1210, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "138 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6959adbcca6428aa9db7236e", "name": "TI Advisory No-ESAF-SOC-TI-2026-8", "description": "", "modified": "2026-01-04T00:01:00.758000", "created": "2026-01-04T00:01:00.758000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "domain": 537, "hostname": 887 }, "indicator_count": 1426, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691473b72eee91d1a6b22b4f", "name": "BlueNoroff Group cryptoaffair: \"ghost\" investments and bogus job offers", "description": "The BlueNoroff Group, known by various aliases including APT38 and TA444, has been actively targeting blockchain developers and Web3 executives through its operational campaigns, notably SnatchCrypto. A significant part of this operation involves the GhostCall and GhostHire campaigns, which exploit social engineering tactics. The GhostCall campaign, operational since mid-2023, employs deceptive video conferencing to recruit victims. Attackers masquerade as venture capitalists via platforms like Telegram, using compromised accounts of legitimate entrepreneurs. They initiate contact with potential targets and arrange meetings through spoofed Zoom links or direct messages, utilizing disguised phishing URLs. The attackers leverage multi-stage execution chains; the infection typically begins with the DownTroy malware, which downloads various self-contained executables, including keyloggers and data stealers like CosmicDoor and RooTroy.", "modified": "2025-12-12T11:04:05.038000", "created": "2025-11-12T11:47:02.981000", "tags": [ "apple macos", "apt", "bluenoroff", "chatgpt", "github", "linux", "microsoft windows", "telegram", "windows", "applescript", "zoom", "cosmicdoor", "downtroy", "rootroy", "gillyinjector", "base64", "macos", "rust", "python", "swift", "powershell", "path", "macho", "sapphire", "downexec", "exodus", "target", "agent", "installer", "ditto", "effect", "install", "premium", "zero", "konni", "themida", "lsass", "exodus web3", "lazarus", "huntress", "nim", "c https", "googie llc", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate" ], "references": [ "https://securelist.ru/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/113883/" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "FileHash-MD5": 57, "FileHash-SHA1": 25, "FileHash-SHA256": 33, "domain": 22, "hostname": 23 }, "indicator_count": 188, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "183 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69099ae3319099e17ce0969f", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "", "modified": "2025-11-04T06:19:15.728000", "created": "2025-11-04T06:19:15.728000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6901bda4549c558a81dc00a5", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "208 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6902e567c252949d8c75e8c1", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "", "modified": "2025-10-30T04:11:19.757000", "created": "2025-10-30T04:11:19.757000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": "69003b85c217870cc5794cc6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "213 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6901bda4549c558a81dc00a5", "name": "IOC - Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "Primarily focused on financial gain since its appearance, BlueNoroff (aka. Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has adopted new infiltration strategies and malware sets over time, but it still targets blockchain developers, C-level executives, and managers within the Web3/blockchain industry as part of its SnatchCrypto operation. Earlier this year, we conducted research into two malicious campaigns by BlueNoroff under the SnatchCrypto operation, which we dubbed GhostCall and GhostHire.", "modified": "2025-10-29T07:09:24.634000", "created": "2025-10-29T07:09:24.634000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "214 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69010d8cbf528688e76b28a6", "name": "BlueNoroff Targets High Value Victims with New infiltration Methods", "description": "MSTeamsUpdate.sh, Safari update, and other updates are all part of the BBC's Newsround programme, which is broadcast live on BBC One from Monday, 2:00 BST.", "modified": "2025-10-28T18:39:19.476000", "created": "2025-10-28T18:38:04.399000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "215 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book2.csv", "https://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/", "https://securelist.ru/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/113883/", "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/", "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842", "https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered", "OCT.pdf" ], "related": { "alienvault": { "adversary": [ "Lazarus Group, Kimsuky", "Lazarus Group" ], "malware_families": [ "Webbrowserpassview", "Quasar rat", "Sysphon", "Mailpassview", "Downtroy", "Cosmicdoor", "Teamsclutch", "Badcall - s0245", "Realtimetroy", "Httptroy", "Silentsiphon", "Blindingcan - s0520", "Rootroy", "Zoomclutch", "Sneakmain" ], "industries": [ "Technology", "Finance" ] }, "other": { "adversary": [ "BlueNoroff", "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "Lazarus Group, Kimsuky", "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "Lazarus" ], "malware_families": [ "Webbrowserpassview", "Quasar rat", "Sysphon", "Mailpassview", "Downtroy", "Cosmicdoor", "Teamsclutch", "Badcall - s0245", "Realtimetroy", "Httptroy", "Kimsuky", "Blindingcan - s0520", "Silentsiphon", "Lazarus", "Rootroy", "Zoomclutch", "Sneakmain" ], "industries": [ "Technology", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6943cc1225854b7356ec39d2", "name": "Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns", "description": "North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to conduct widespread hacking operations for intelligence gathering, financial gain, and access. The investigation uncovered previously unconnected operational assets, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure. Key findings include a new Linux variant of the Badcall backdoor, extensive credential harvesting toolkits in open directories, and widespread deployment of Fast Reverse Proxy (FRP) instances. The analysis highlights consistent operational patterns across DPRK campaigns, such as reusing infrastructure, deploying identical FRP configurations, and leveraging shared certificates, providing defenders with actionable intelligence to proactively track DPRK activity.", "modified": "2026-01-17T09:01:20.119000", "created": "2025-12-18T09:40:34.326000", "tags": [ "dprk", "mailpassview", "blindingcan", "vps", "badcall", "quasar rat" ], "references": [ "https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered" ], "public": 1, "adversary": "Lazarus Group, Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "BADCALL - S0245", "display_name": "BADCALL - S0245", "target": null }, { "id": "HttpTroy", "display_name": "HttpTroy", "target": null }, { "id": "BLINDINGCAN - S0520", "display_name": "BLINDINGCAN - S0520", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "MailPassView", "display_name": "MailPassView", "target": null }, { "id": "WebBrowserPassView", "display_name": "WebBrowserPassView", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386597, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69003b85c217870cc5794cc6", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "BlueNoroff, a financially motivated threat actor, has been conducting two sophisticated campaigns dubbed GhostCall and GhostHire. GhostCall targets macOS devices of tech executives and venture capitalists through fake Zoom-like meetings, while GhostHire targets Web3 developers through fake recruitment processes. Both campaigns utilize various malware chains, including ZoomClutch, DownTroy, CosmicDoor, RooTroy, and SilentSiphon. The attacks involve social engineering, AI-enhanced images, and multi-stage malware deployment across Windows, macOS, and Linux systems. BlueNoroff has expanded its focus beyond cryptocurrency theft to comprehensive data acquisition, enabling supply chain attacks and leveraging established trust relationships for broader impact.", "modified": "2025-10-28T09:30:13.914000", "created": "2025-10-28T03:41:57.869000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 386594, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6948bbc02cfac76276a88a2a", "name": "sfeffdfdddf", "description": "", "modified": "2026-01-21T03:08:45.079000", "created": "2025-12-22T03:32:13.853000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 4, "domain": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6947ad3d824fe76885da743b", "name": "Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns", "description": "Recent investigations into North Korean hacker operations have revealed the ongoing activities of groups such as Lazarus and Kimsuky. These state-sponsored cyber actors exploit sophisticated techniques for intelligence gathering, financial gain, and broader operational purposes. Their campaigns exhibit distinctive patterns, employing open directory structures as staging nodes, consistent use of credential harvesting tools, and repeating malicious infrastructure across various global campaigns.\n\nOne of the critical findings relates to the Badcall backdoor, which is linked to Lazarus operations. The Linux variant of Badcall played a notable role in the 2023 3CX supply-chain attack, indicating the malware's adaptability in shift and post-exploitation scenarios. Lazarus operations have also leveraged open directories containing a trove of credential-theft kits disguised as legitimate tools.", "modified": "2026-01-20T08:04:26.478000", "created": "2025-12-21T08:18:05.804000", "tags": [ "lazarus", "dprk", "lazarus group", "or ip", "kimsuky", "frp host", "ioc hunter", "hunt", "new lazarus", "variant", "quasar rat", "bluenoroff", "mailpassview", "stealc", "cluster", "defender", "blindingcan", "format", "passwordfox", "netpass", "dialupass", "august", "python", "hunter", "malware", "quasar", "poolrat", "inside", "linux", "badcall", "hunt.io" ], "references": [ "https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 12, "domain": 2 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694651bb66f152fd6154aa24", "name": "Hunting DPRK threats - New Global Lazarus & Kimsuky campaigns", "description": "Recent investigations into North Korean cyber threat actors, specifically the Lazarus and Kimsuky groups, reveal a series of sophisticated campaigns exploiting both operational patterns and advanced tools. These state-sponsored attackers are highly active and engage in a wide range of malicious activities, including espionage and financial theft, utilizing a shared toolkit comprising credential harvesting tools and malware.\n\nThe analysis disclosed notable operational methodologies of these groups. They routinely employ open directories as staging areas for their operations and exhibit consistent behaviors like deploying credential theft kits and using Fast Reverse Proxy (FRP) tunnels. These FRP setups operate on identical ports across various Virtual Private Servers (VPS), showcasing a shared infrastructure that simplifies tracking their activities despite the variations in malware and attack lures.", "modified": "2026-01-19T07:05:35.562000", "created": "2025-12-20T07:35:23.158000", "tags": [ "lazarus", "dprk", "lazarus group", "buttonfig", "frp host", "kimsuky", "ioc hunter", "badcall", "quasar rat", "variant", "bluenoroff", "mailpassview", "blindingcan", "main", "passwordfox", "netpass", "dialupass", "august", "python", "malware", "quasar", "poolrat", "hunt.io", "linux" ], "references": [ "https://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 12, "domain": 2 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b7787935986377b6067cf", "name": "Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns", "description": "", "modified": "2026-01-17T09:01:20.119000", "created": "2025-12-24T05:17:59.940000", "tags": [ "dprk", "mailpassview", "blindingcan", "vps", "badcall", "quasar rat" ], "references": [ "https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered" ], "public": 1, "adversary": "Lazarus Group, Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "BADCALL - S0245", "display_name": "BADCALL - S0245", "target": null }, { "id": "HttpTroy", "display_name": "HttpTroy", "target": null }, { "id": "BLINDINGCAN - S0520", "display_name": "BLINDINGCAN - S0520", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "MailPassView", "display_name": "MailPassView", "target": null }, { "id": "WebBrowserPassView", "display_name": "WebBrowserPassView", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "6943cc1225854b7356ec39d2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6966340114e5dbd3decca476", "name": "TI Advisory No-ESAF-SOC-TI-2026-8", "description": "A look back at some of the most eye-catching snippets of this year's technology news:-a-year-old, in fact, has been described as \"epidemic\" by some.", "modified": "2026-01-13T12:01:05.055000", "created": "2026-01-13T12:01:05.055000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "domain": 526, "hostname": 682 }, "indicator_count": 1210, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "138 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6959adbcca6428aa9db7236e", "name": "TI Advisory No-ESAF-SOC-TI-2026-8", "description": "", "modified": "2026-01-04T00:01:00.758000", "created": "2026-01-04T00:01:00.758000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "domain": 537, "hostname": 887 }, "indicator_count": 1426, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691473b72eee91d1a6b22b4f", "name": "BlueNoroff Group cryptoaffair: \"ghost\" investments and bogus job offers", "description": "The BlueNoroff Group, known by various aliases including APT38 and TA444, has been actively targeting blockchain developers and Web3 executives through its operational campaigns, notably SnatchCrypto. A significant part of this operation involves the GhostCall and GhostHire campaigns, which exploit social engineering tactics. The GhostCall campaign, operational since mid-2023, employs deceptive video conferencing to recruit victims. Attackers masquerade as venture capitalists via platforms like Telegram, using compromised accounts of legitimate entrepreneurs. They initiate contact with potential targets and arrange meetings through spoofed Zoom links or direct messages, utilizing disguised phishing URLs. The attackers leverage multi-stage execution chains; the infection typically begins with the DownTroy malware, which downloads various self-contained executables, including keyloggers and data stealers like CosmicDoor and RooTroy.", "modified": "2025-12-12T11:04:05.038000", "created": "2025-11-12T11:47:02.981000", "tags": [ "apple macos", "apt", "bluenoroff", "chatgpt", "github", "linux", "microsoft windows", "telegram", "windows", "applescript", "zoom", "cosmicdoor", "downtroy", "rootroy", "gillyinjector", "base64", "macos", "rust", "python", "swift", "powershell", "path", "macho", "sapphire", "downexec", "exodus", "target", "agent", "installer", "ditto", "effect", "install", "premium", "zero", "konni", "themida", "lsass", "exodus web3", "lazarus", "huntress", "nim", "c https", "googie llc", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate" ], "references": [ "https://securelist.ru/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/113883/" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "FileHash-MD5": 57, "FileHash-SHA1": 25, "FileHash-SHA256": 33, "domain": 22, "hostname": 23 }, "indicator_count": 188, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "secondshop.store", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "secondshop.store", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780274251.495158 }