{ "type": "Domain", "indicator": "seenga.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/seenga.com", "alexa": "http://www.alexa.com/siteinfo/seenga.com", "indicator": "seenga.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4030140610, "indicator": "seenga.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "680680f666b6192de781c7f1", "name": "How Lumma Stealer sneaks into organizations", "description": "Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. The malware uses complex infection chains involving PowerShell scripts, JavaScript, and AutoIt components to evade detection. Once installed, Lumma Stealer targets a wide range of sensitive data, including cryptocurrency wallets, browser credentials, and financial information. The malware's stealthy execution and anti-analysis techniques make it a significant threat to both individuals and organizations.", "modified": "2025-04-21T22:28:22.241000", "created": "2025-04-21T17:31:34.991000", "tags": [ "lumma stealer", "anti-analysis", "powershell", "fake captcha", "information stealer", "cryptocurrency theft", "autoit", "obfuscation" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274" ], "public": 1, "adversary": "Lumma", "targeted_countries": [ "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386459, "modified_text": "404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653e8484ba7c285929cb5e0d", "name": "CERT.PL list of malicious domains", "description": "See: https://cert.pl/en/warning-list/\n\n(archived version here: https://web.archive.org/web/20231029161224/https://cert.pl/en/posts/2020/03/malicious_domains/)", "modified": "2026-05-30T07:58:43.913000", "created": "2023-10-29T16:12:52.580000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Poland" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 169093, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 156498, "domain": 371707 }, "indicator_count": 528205, "is_author": false, "is_subscribing": null, "subscriber_count": 474, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680c1a2539b381ea9fbe7054", "name": "InQuest - 25-04-2025", "description": "", "modified": "2025-05-25T23:00:17.763000", "created": "2025-04-25T23:26:29.483000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "URL": 236, "FileHash-SHA1": 24, "FileHash-SHA256": 814, "domain": 54, "FileHash-MD5": 26 }, "indicator_count": 1196, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "370 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680ac7dd8edc8c55be961a6d", "name": "InQuest - 24-04-2025", "description": "", "modified": "2025-05-24T23:00:39.177000", "created": "2025-04-24T23:23:09.843000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 879, "FileHash-MD5": 33, "hostname": 67, "URL": 426, "domain": 113, "FileHash-SHA1": 24 }, "indicator_count": 1542, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818f46dd65fe9f5628b6deb", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-05T17:25:01.415000", "created": "2025-05-05T17:25:01.415000", "tags": [ "ctia type", "date", "april", "time", "update", "siem", "keep anti", "virus endpoint", "detection", "check", "test" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 8 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "390 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6814bb1dc645da1b5d4e1228", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-02T12:34:36.004000", "created": "2025-05-02T12:31:25.355000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 7, "hostname": 5, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68144719ce06e61f72f4b24d", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-02T04:16:25.940000", "created": "2025-05-02T04:16:25.940000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "68130b0a09b695605a0065a0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68130b0a09b695605a0065a0", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-01T05:47:54.846000", "created": "2025-05-01T05:47:54.846000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "6807a23302e3a26f9b32c891", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "394 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68085933d995e64eaee31209", "name": "How Lumma Stealer sneaks into organizations", "description": "", "modified": "2025-04-23T03:06:27.966000", "created": "2025-04-23T03:06:27.966000", "tags": [ "lumma stealer", "anti-analysis", "powershell", "fake captcha", "information stealer", "cryptocurrency theft", "autoit", "obfuscation" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274" ], "public": 1, "adversary": "Lumma", "targeted_countries": [ "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Government" ], "TLP": "white", "cloned_from": "680680f666b6192de781c7f1", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "402 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6807a23302e3a26f9b32c891", "name": "How Lumma Stealer sneaks into organizations | Securelist", "description": "Security company Kaspersky has discovered a sophisticated and sophisticated information stealer, known as Lumma, that is being used by cybercriminals to steal data from people around the world and sell it on dark web marketplaces.", "modified": "2025-04-22T14:05:39.893000", "created": "2025-04-22T14:05:39.893000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "403 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/", "https://labs.inquest.net/iocdb", "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274" ], "related": { "alienvault": { "adversary": [ "Lumma" ], "malware_families": [ "Lumma stealer" ], "industries": [ "Finance", "Government" ] }, "other": { "adversary": [ "Lumma" ], "malware_families": [ "Captcha", "Lumma", "\u2019m", "Lumma stealer", "Downloads" ], "industries": [ "Finance", "Government", "Logistics", "Maritime" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "680680f666b6192de781c7f1", "name": "How Lumma Stealer sneaks into organizations", "description": "Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. The malware uses complex infection chains involving PowerShell scripts, JavaScript, and AutoIt components to evade detection. Once installed, Lumma Stealer targets a wide range of sensitive data, including cryptocurrency wallets, browser credentials, and financial information. The malware's stealthy execution and anti-analysis techniques make it a significant threat to both individuals and organizations.", "modified": "2025-04-21T22:28:22.241000", "created": "2025-04-21T17:31:34.991000", "tags": [ "lumma stealer", "anti-analysis", "powershell", "fake captcha", "information stealer", "cryptocurrency theft", "autoit", "obfuscation" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274" ], "public": 1, "adversary": "Lumma", "targeted_countries": [ "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386459, "modified_text": "404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653e8484ba7c285929cb5e0d", "name": "CERT.PL list of malicious domains", "description": "See: https://cert.pl/en/warning-list/\n\n(archived version here: https://web.archive.org/web/20231029161224/https://cert.pl/en/posts/2020/03/malicious_domains/)", "modified": "2026-05-30T07:58:43.913000", "created": "2023-10-29T16:12:52.580000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Poland" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 169093, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 156498, "domain": 371707 }, "indicator_count": 528205, "is_author": false, "is_subscribing": null, "subscriber_count": 474, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680c1a2539b381ea9fbe7054", "name": "InQuest - 25-04-2025", "description": "", "modified": "2025-05-25T23:00:17.763000", "created": "2025-04-25T23:26:29.483000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "URL": 236, "FileHash-SHA1": 24, "FileHash-SHA256": 814, "domain": 54, "FileHash-MD5": 26 }, "indicator_count": 1196, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "370 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680ac7dd8edc8c55be961a6d", "name": "InQuest - 24-04-2025", "description": "", "modified": "2025-05-24T23:00:39.177000", "created": "2025-04-24T23:23:09.843000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 879, "FileHash-MD5": 33, "hostname": 67, "URL": 426, "domain": 113, "FileHash-SHA1": 24 }, "indicator_count": 1542, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818f46dd65fe9f5628b6deb", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-05T17:25:01.415000", "created": "2025-05-05T17:25:01.415000", "tags": [ "ctia type", "date", "april", "time", "update", "siem", "keep anti", "virus endpoint", "detection", "check", "test" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 8 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "390 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6814bb1dc645da1b5d4e1228", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-02T12:34:36.004000", "created": "2025-05-02T12:31:25.355000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 7, "hostname": 5, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68144719ce06e61f72f4b24d", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-02T04:16:25.940000", "created": "2025-05-02T04:16:25.940000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "68130b0a09b695605a0065a0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68130b0a09b695605a0065a0", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-01T05:47:54.846000", "created": "2025-05-01T05:47:54.846000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "6807a23302e3a26f9b32c891", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "394 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68085933d995e64eaee31209", "name": "How Lumma Stealer sneaks into organizations", "description": "", "modified": "2025-04-23T03:06:27.966000", "created": "2025-04-23T03:06:27.966000", "tags": [ "lumma stealer", "anti-analysis", "powershell", "fake captcha", "information stealer", "cryptocurrency theft", "autoit", "obfuscation" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274" ], "public": 1, "adversary": "Lumma", "targeted_countries": [ "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Government" ], "TLP": "white", "cloned_from": "680680f666b6192de781c7f1", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "402 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6807a23302e3a26f9b32c891", "name": "How Lumma Stealer sneaks into organizations | Securelist", "description": "Security company Kaspersky has discovered a sophisticated and sophisticated information stealer, known as Lumma, that is being used by cybercriminals to steal data from people around the world and sell it on dark web marketplaces.", "modified": "2025-04-22T14:05:39.893000", "created": "2025-04-22T14:05:39.893000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "403 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "seenga.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "seenga.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780184992.4397762 }