{ "type": "Domain", "indicator": "sendwatcherzzv.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/sendwatcherzzv.com", "alexa": "http://www.alexa.com/siteinfo/sendwatcherzzv.com", "indicator": "sendwatcherzzv.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4224011595, "indicator": "sendwatcherzzv.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "69ba9942f4e039fc3fb159b8", "name": "OCRFix botnet hides C2 in BNB Smart Chain contract", "description": "The OCRFix botnet exemplifies a sophisticated attack chain utilizing the BNB Smart Chain testnet to conceal its command and control (C2) infrastructure within smart contracts. This three-stage botnet employs JSON-RPC to query these smart contracts at runtime for the C2 domain, allowing seamless infrastructure updates through simple blockchain transactions. Notably, the malware's design necessitates no binary updates on infected machines; they simply check in for updates at defined intervals.", "modified": "2026-04-17T12:01:36.366000", "created": "2026-03-18T12:23:30.394000", "tags": [ "clickfix", "botnet", "malware", "vbscript", "etherhiding", "blockchain", "reverse-engineering", "c2 backend", "cfgmgr", "march", "layer", "c2 url", "stage", "uuid", "js loader", "cfghelper", "vbs payload", "wave", "persistence", "winrar", "vidar", "rhadamanthys", "stages", "defender", "msi", "php", "reobfuscation", "vbs", "bsc testnet", "context", "njalla", "c2 traffic", "stat", "win32", "win64" ], "references": [ "https://www.derp.ca/research/ocrfix-etherhiding-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1166", "name": "Setuid and Setgid", "display_name": "T1166 - Setuid and Setgid" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 18, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.derp.ca/research/ocrfix-etherhiding-botnet/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "69ba9942f4e039fc3fb159b8", "name": "OCRFix botnet hides C2 in BNB Smart Chain contract", "description": "The OCRFix botnet exemplifies a sophisticated attack chain utilizing the BNB Smart Chain testnet to conceal its command and control (C2) infrastructure within smart contracts. This three-stage botnet employs JSON-RPC to query these smart contracts at runtime for the C2 domain, allowing seamless infrastructure updates through simple blockchain transactions. Notably, the malware's design necessitates no binary updates on infected machines; they simply check in for updates at defined intervals.", "modified": "2026-04-17T12:01:36.366000", "created": "2026-03-18T12:23:30.394000", "tags": [ "clickfix", "botnet", "malware", "vbscript", "etherhiding", "blockchain", "reverse-engineering", "c2 backend", "cfgmgr", "march", "layer", "c2 url", "stage", "uuid", "js loader", "cfghelper", "vbs payload", "wave", "persistence", "winrar", "vidar", "rhadamanthys", "stages", "defender", "msi", "php", "reobfuscation", "vbs", "bsc testnet", "context", "njalla", "c2 traffic", "stat", "win32", "win64" ], "references": [ "https://www.derp.ca/research/ocrfix-etherhiding-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1166", "name": "Setuid and Setgid", "display_name": "T1166 - Setuid and Setgid" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 18, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "sendwatcherzzv.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "sendwatcherzzv.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780255479.0677693 }