{ "type": "Domain", "indicator": "securedownloadfiles.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/securedownloadfiles.com", "alexa": "http://www.alexa.com/siteinfo/securedownloadfiles.com", "indicator": "securedownloadfiles.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4073077532, "indicator": "securedownloadfiles.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68af30b96e802c733e0c8b8a", "name": "UNC Cluster Targeting South Asian Countries", "description": "A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login pages for government and military organizations, and malicious Android apps. The Android malware, based on the Rafel Rat, steals information and provides remote access. Victims are primarily from South Asian countries, with stolen data including SMS messages, contact lists, and documents. The operation also uses Windows malware with the same command and control infrastructure.", "modified": "2025-08-27T19:32:13.204000", "created": "2025-08-27T16:22:17.263000", "tags": [ "android malware", "rafel rat", "information stealer", "credential theft", "phishing", "military targets", "south asian apt", "remote access" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft" ], "public": 1, "adversary": "", "targeted_countries": [ "Bangladesh", "British Indian Ocean Territory", "India", "Pakistan", "Sri Lanka" ], "malware_families": [ { "id": "Rafel Rat", "display_name": "Rafel Rat", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 12, "hostname": 36 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 387149, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aef29ab2d06e6cba9971e4", "name": "Strike Ready", "description": "A South Asian APT has been targeting military-adjacent people in Pakistan, Sri Lanka, Pakistan and Turkey, exposing novel tooling and a new generation of malware that targets those who work in the military.", "modified": "2025-08-27T11:57:14.297000", "created": "2025-08-27T11:57:14.297000", "tags": [ "#apt #india #pakistan #bangladesh #srilanka #turkey #apk", "strong", "general", "dgdp", "bangladesh", "government", "bangladesh air", "figure", "ministry", "chief", "army staff", "android", "phishing", "decoy", "demo", "phish", "first", "demon", "rafel rat", "april", "february", "asian", "rafel" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Sri Lanka", "Bangladesh", "Pakistan", "T\u00fcrkiye" ], "malware_families": [ { "id": "Asian", "display_name": "Asian", "target": null }, { "id": "Rafel", "display_name": "Rafel", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 14, "hostname": 36 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "280 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac0946e610dfc8e94effb2", "name": "APT: Android, Phishing, microsofT.", "description": "A South Asian Advanced Persistent Threat (APT) group has been actively targeting individuals associated with military and defense sectors in Sri Lanka, Bangladesh, Pakistan, and Turkey. This threat actor employs a combination of sophisticated techniques to compromise mobile devices, particularly Android phones. The group's infrastructure and novel malware tooling have been designed to bypass security measures and facilitate espionage operations.", "modified": "2025-08-25T06:57:10.605000", "created": "2025-08-25T06:57:10.605000", "tags": [ "strong", "general", "dgdp", "bangladesh", "government", "bangladesh air", "figure", "ministry", "chief", "army staff", "android", "phishing", "decoy", "demo", "phish", "first", "demon", "rafel rat", "april", "february", "asian", "rafel" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 5, "domain": 15, "hostname": 62, "email": 4 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "282 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft/", "https://strikeready.com/blog/apt-android-phishing-microsoft" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Rafel rat" ], "industries": [ "Government", "Defense" ] }, "other": { "adversary": [], "malware_families": [ "Asian", "Rafel" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68af30b96e802c733e0c8b8a", "name": "UNC Cluster Targeting South Asian Countries", "description": "A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login pages for government and military organizations, and malicious Android apps. The Android malware, based on the Rafel Rat, steals information and provides remote access. Victims are primarily from South Asian countries, with stolen data including SMS messages, contact lists, and documents. The operation also uses Windows malware with the same command and control infrastructure.", "modified": "2025-08-27T19:32:13.204000", "created": "2025-08-27T16:22:17.263000", "tags": [ "android malware", "rafel rat", "information stealer", "credential theft", "phishing", "military targets", "south asian apt", "remote access" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft" ], "public": 1, "adversary": "", "targeted_countries": [ "Bangladesh", "British Indian Ocean Territory", "India", "Pakistan", "Sri Lanka" ], "malware_families": [ { "id": "Rafel Rat", "display_name": "Rafel Rat", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 12, "hostname": 36 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 387149, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aef29ab2d06e6cba9971e4", "name": "Strike Ready", "description": "A South Asian APT has been targeting military-adjacent people in Pakistan, Sri Lanka, Pakistan and Turkey, exposing novel tooling and a new generation of malware that targets those who work in the military.", "modified": "2025-08-27T11:57:14.297000", "created": "2025-08-27T11:57:14.297000", "tags": [ "#apt #india #pakistan #bangladesh #srilanka #turkey #apk", "strong", "general", "dgdp", "bangladesh", "government", "bangladesh air", "figure", "ministry", "chief", "army staff", "android", "phishing", "decoy", "demo", "phish", "first", "demon", "rafel rat", "april", "february", "asian", "rafel" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Sri Lanka", "Bangladesh", "Pakistan", "T\u00fcrkiye" ], "malware_families": [ { "id": "Asian", "display_name": "Asian", "target": null }, { "id": "Rafel", "display_name": "Rafel", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 14, "hostname": 36 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "280 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac0946e610dfc8e94effb2", "name": "APT: Android, Phishing, microsofT.", "description": "A South Asian Advanced Persistent Threat (APT) group has been actively targeting individuals associated with military and defense sectors in Sri Lanka, Bangladesh, Pakistan, and Turkey. This threat actor employs a combination of sophisticated techniques to compromise mobile devices, particularly Android phones. The group's infrastructure and novel malware tooling have been designed to bypass security measures and facilitate espionage operations.", "modified": "2025-08-25T06:57:10.605000", "created": "2025-08-25T06:57:10.605000", "tags": [ "strong", "general", "dgdp", "bangladesh", "government", "bangladesh air", "figure", "ministry", "chief", "army staff", "android", "phishing", "decoy", "demo", "phish", "first", "demon", "rafel rat", "april", "february", "asian", "rafel" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 5, "domain": 15, "hostname": 62, "email": 4 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "282 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "securedownloadfiles.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "securedownloadfiles.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780506340.7249277 }