{ "type": "Domain", "indicator": "serialmenot.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/serialmenot.com", "alexa": "http://www.alexa.com/siteinfo/serialmenot.com", "indicator": "serialmenot.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4214237618, "indicator": "serialmenot.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69ea29a2df2a3f26872b6e15", "name": "DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers", "description": "DinDoor is a Deno-based backdoor delivered via MSI files that exploits the Deno runtime to execute obfuscated JavaScript for command and control communications and system fingerprinting. Two analyzed samples show different execution behaviors: one writes JavaScript to disk while the other executes entirely in memory. Both samples use identical fingerprinting algorithms generating unique victim identifiers. One sample contains an embedded JWT exposing campaign metadata and the domain serialmenot[.]com, identified as multi-tenant infrastructure serving multiple threat actors including state-sponsored groups and cybercriminals. Analysis of HTTP response headers enabled identification of 20 active C2 servers across 15 autonomous systems, many using bulletproof hosting providers. The malicious infrastructure uses Caddy proxy with distinctive headers allowing network-based detection.", "modified": "2026-04-24T09:10:39.383000", "created": "2026-04-23T14:16:02.952000", "tags": [ "castleloader", "deno runtime", "caddy proxy", "tsundere botnet" ], "references": [ "https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "United States of America", "Russian Federation" ], "malware_families": [ { "id": "DinDoor", "display_name": "DinDoor", "target": null }, { "id": "Tsundere Botnet", "display_name": "Tsundere Botnet", "target": null }, { "id": "CastleLoader", "display_name": "CastleLoader", "target": null }, { "id": "CastleRAT", "display_name": "CastleRAT", "target": null }, { "id": "ChainShell", "display_name": "ChainShell", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 17, "URL": 1, "domain": 11, "hostname": 4 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 378952, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e2417dcac9587a626c98a2", "name": "Iranian APT Seedworm Targets Global Organizations via Microsoft Teams", "description": "In late February 2026, following escalating Middle East tensions and coordinated military actions, Iranian APT group Seedworm launched sophisticated social engineering attacks via Microsoft Teams. Attackers impersonated IT support personnel using deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The campaign deployed a custom backdoor called Dindoor, which leveraged legitimate Deno runtime to execute obfuscated payloads in-memory, minimizing detection. The operation included multiple components for persistence, command-and-control communications, and data exfiltration. Infrastructure overlapped with previously reported MuddyWater operations. The attack demonstrates the group's evolution in using collaboration platforms as initial access vectors while combining dual-use tooling with living-off-the-land techniques to bypass traditional security controls.", "modified": "2026-04-20T11:06:56.073000", "created": "2026-04-17T14:19:41.824000", "tags": [ "muddywater infrastructure", "in-memory execution", "seedworm", "microsoft teams", "dindoor", "social engineering", "dindoor backdoor", "iran apt", "deno runtime", "dinodance" ], "references": [ "https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "DINODANCE", "display_name": "DINODANCE", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 26, "URL": 2, "domain": 1, "hostname": 2 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 378951, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ba8419321e1d3c9be7c4cc", "name": "Casting a Wider Net: Scaling Threat", "description": "LeakNet, a ransomware operator, has expanded its initial access methods by utilizing ClickFix lures on compromised websites and implementing a new Deno-based, in-memory loader. The group has shifted from relying on initial access brokers to running its own campaigns. LeakNet's post-exploitation playbook remains consistent, involving jli.dll side-loading, PsExec-based lateral movement, and S3 bucket payload staging. The Deno loader executes base64-encoded payloads in memory, making detection challenging for traditional security tools. Defenders are advised to focus on behavioral signals and implement measures such as blocking newly registered domains, restricting Win-R access, and limiting PsExec usage to authorized administrators.", "modified": "2026-04-17T10:17:31.095000", "created": "2026-03-18T10:53:13.088000", "tags": [ "side-loading", "s3 bucket", "lateral movement", "clickfix", "deno", "social engineering", "in-memory execution", "ransomware", "psexec" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat" ], "public": 1, "adversary": "LeakNet", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 11, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 378952, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b14da6cb1bf921c7ac6d22", "name": "CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security", "description": "A sophisticated infection chain has been discovered that installs CastleRAT malware without leaving traces on disk. The attack uniquely abuses the Deno runtime as a malicious framework, combining social engineering, steganography, and in-memory execution to evade detection. The process involves tricking users into executing a command, installing Deno, running obfuscated JavaScript, and decoding a payload hidden in a JPEG image. CastleRAT then gains total control, performing host fingerprinting, keylogging, clipboard hijacking, digital identity theft, and audio/video surveillance. This campaign demonstrates the evolution of malware towards invisibility and the need for advanced endpoint behavioral monitoring to detect such threats.", "modified": "2026-04-10T11:44:23.220000", "created": "2026-03-11T11:10:30.530000", "tags": [ "clickfix", "social engineering", "castlerat", "deno", "javascript", "api abuse" ], "references": [ "https://www.threatdown.com/blog/castlerat-cyber-attack-is-the-first-to-abuse-deno-javascript-runtime-to-evade-enterprise-security/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CastleRAT", "display_name": "CastleRAT", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 378952, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a9e3eea1d0b6fa8bf0f06d", "name": "Iranian APT on Networks of U.S. Bank, Airport, Software Company", "description": "Iranian APT group Seedworm has been active on networks of multiple U.S. companies since February 2026, targeting a bank, airport, software company, and NGOs. The group deployed new backdoors named Dindoor and Fakeset, signed with certificates previously linked to Seedworm. The activity occurs amid escalating tensions between the U.S., Israel, and Iran. Seedworm, known for espionage and information gathering, has broadened its scope to target various sectors globally. The article discusses recent Iranian cyber activities, potential future threats, and provides recommendations for defenders to prepare against DDoS, credential attacks, leaks, critical infrastructure attacks, and destructive operations.", "modified": "2026-03-06T11:28:56.048000", "created": "2026-03-05T20:13:34.917000", "tags": [ "pdq", "critical infrastructure", "u.s. targets", "httpsnoop", "fakeset", "iranian apt", "espionage", "dindoor", "backdoor", "cyberattack", "bibiwiper", "darkcomp", "phoenix", "cve-2023-6895", "cve-2017-7921", "stagecomp", "ddos", "data exfiltration", "apt", "geopolitical conflict" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "United States of America", "Canada", "Israel" ], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "Fakeset", "display_name": "Fakeset", "target": null }, { "id": "Stagecomp", "display_name": "Stagecomp", "target": null }, { "id": "Darkcomp", "display_name": "Darkcomp", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null }, { "id": "PDQ", "display_name": "PDQ", "target": null }, { "id": "BibiWiper", "display_name": "BibiWiper", "target": null }, { "id": "HTTPSnoop", "display_name": "HTTPSnoop", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Defense", "Aerospace", "Government", "Transportation", "Technology", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "domain": 3, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 378954, "modified_text": "51 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ea03475dab7fe7a9ad2feb", "name": "DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers", "description": "Two samples of DinDoor malware were uploaded to public repositories, but they did not share code, according to research published by the security firm Hunt.io on Tuesday.. and published on Wednesday.", "modified": "2026-04-23T11:32:23.410000", "created": "2026-04-23T11:32:23.410000", "tags": [ "dindoor", "na na", "nl ip", "de ip", "deno", "caddy", "powershell", "muddywater", "jumpsec", "bl networks", "castleloader", "loader", "python", "february", "copy", "demo", "prospero", "encrypt", "path", "tsundere" ], "references": [ "https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Deno", "display_name": "Deno", "target": null }, { "id": "DinDoor", "display_name": "DinDoor", "target": null }, { "id": "MuddyWater", "display_name": "MuddyWater", "target": null }, { "id": "Tsundere", "display_name": "Tsundere", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Financial Services" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 20, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 1, "domain": 13, "hostname": 4 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 849, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e0c75ee5ca57ac39bdda56", "name": "EbeeApril2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-22T23:34:39.020000", "created": "2026-04-16T11:26:22.347000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 44, "CVE": 8, "FileHash-MD5": 223, "FileHash-SHA1": 235, "FileHash-SHA256": 214, "URL": 54, "domain": 70, "hostname": 64 }, "indicator_count": 912, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e67e0a9ba34ad5f57c143e", "name": "Iranian APT Seedworm Targets Global Organizations via Microsoft Teams", "description": "In late February 2026, following escalating Middle East tensions and coordinated military actions, Iranian APT group Seedworm launched sophisticated social engineering attacks via Microsoft Teams. Attackers impersonated IT support personnel using deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The campaign deployed a custom backdoor called Dindoor, which leveraged legitimate Deno runtime to execute obfuscated payloads in-memory, minimizing detection. The operation included multiple components for persistence, command-and-control communications, and data exfiltration. Infrastructure overlapped with previously reported MuddyWater operations.", "modified": "2026-04-22T19:32:00.233000", "created": "2026-04-20T19:27:06.899000", "tags": [ "muddywater infrastructure", "in-memory execution", "seedworm", "microsoft teams", "dindoor", "social engineering", "dindoor backdoor", "iran apt", "deno runtime", "dinodance" ], "references": [ "https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "DINODANCE", "display_name": "DINODANCE", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "69e2417dcac9587a626c98a2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 26, "URL": 2, "domain": 1, "hostname": 2 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e6fb820c2c73386320bce2", "name": "Iranian APT Seedworm Targets Global Organizations via Microsoft Teams", "description": "", "modified": "2026-04-21T04:22:26.449000", "created": "2026-04-21T04:22:26.449000", "tags": [ "muddywater infrastructure", "in-memory execution", "seedworm", "microsoft teams", "dindoor", "social engineering", "dindoor backdoor", "iran apt", "deno runtime", "dinodance" ], "references": [ "https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "DINODANCE", "display_name": "DINODANCE", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69e2417dcac9587a626c98a2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 26, "URL": 2, "domain": 1, "hostname": 2 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb261032f1177789efc01f", "name": "Casting a Wider Net: Scaling Threat", "description": "", "modified": "2026-04-17T10:17:31.095000", "created": "2026-03-18T22:24:16.060000", "tags": [ "side-loading", "s3 bucket", "lateral movement", "clickfix", "deno", "social engineering", "in-memory execution", "ransomware", "psexec" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat" ], "public": 1, "adversary": "LeakNet", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69ba8419321e1d3c9be7c4cc", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ba3db9cc157531e1e3cd64", "name": "IOC - Casting a Wider Net: ClickFix, Deno, and LeakNet\u2019s Scaling Threat", "description": "Ransomware operator \u201cLeakNet\u201d is currently averaging about three victims per month, but it\u2019s scaling up and shifting tactics. In recent incidents we investigated, the group added a new initial access path and a new loader technique: \u201cClickFix\u201d lures hosted on compromised websites and a Deno-based, in-memory loader that most security tools won\u2019t catch. No matter how it gets in, LeakNet then follows the same post-exploitation steps: execution, lateral movement, and payload staging.", "modified": "2026-04-17T05:06:11.530000", "created": "2026-03-18T05:52:57.134000", "tags": [ "deno c2", "domain", "ip address", "clickfix domain", "c2 domain", "malicious s3", "websites", "bucket" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 121, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e0c5f7aa93975cc28fa3ca", "name": "EbeeApril2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-16T11:26:58.541000", "created": "2026-04-16T11:20:23.973000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 6, "FileHash-MD5": 161, "FileHash-SHA1": 152, "FileHash-SHA256": 100, "IPv4": 115, "URL": 110, "domain": 104, "email": 4, "hostname": 76 }, "indicator_count": 829, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69df21138a1d38347c4bf0ca", "name": "IOC - ChainShell: MuddyWater\u2019s Russian MaaS Link", "description": "This report documents a direct operational link between the exposed infrastructure of Iranian threat actor MuddyWater and TAG-150 CastleRAT malware \u2013 a modular malware-as-a-service (MaaS) platform developed by Russian-speaking cybercriminals.\nThrough our analysis of a misconfigured C2 web server, 15 malware samples, and a novel PE payload, JUMPSEC assesses that MuddyWater operates at least two CastleRAT builds against Israeli targets with high confidence, and that they deploy additional TAG-150 JavaScript RAT variants from the same infrastructure with moderate confidence.", "modified": "2026-04-15T05:24:35.345000", "created": "2026-04-15T05:24:35.345000", "tags": [ "build", "chainshell", "castlerat build", "nsis installer", "microsoft", "deno maas", "c2 agent", "hvnc webview2", "symantec", "stagecomp", "leaknet" ], "references": [ "https://www.jumpsec.com/guides/chainshell-muddywater-russian-criminal-infrastructure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 10, "URL": 2, "domain": 4 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2923253b8af4ceec99b0d", "name": "CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security - ThreatDown by Malwarebytes", "description": "Security firm ThreatDown has discovered a sophisticated new infection chain that installs malware without leaving a trace on disk, and is a significant milestone in offensive cyber-attack evolution, according to a recent investigation.", "modified": "2026-04-11T10:19:34.171000", "created": "2026-03-12T10:15:14.019000", "tags": [ "threatdown", "castlerat", "deno", "state", "detection", "cybercrime has", "machinescale", "deno javascript", "response", "partners", "malware", "service", "verify", "discord", "invisible", "powershell", "python", "nebula" ], "references": [ "https://www.threatdown.com/blog/castlerat-cyber-attack-is-the-first-to-abuse-deno-javascript-runtime-to-evade-enterprise-security/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CastleRAT", "display_name": "CastleRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b292348d4f47754819379a", "name": "CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security", "description": "The CastleRAT malware campaign marks a significant advancement in cyber threat tactics, utilizing the Deno JavaScript runtime to execute its payload while evading detection by traditional security measures. This sophisticated infection chain begins with a social engineering tactic where victims are directed to a compromised webpage displaying misleading error messages or CAPTCHA prompts, compelling them to execute a command manually. This approach, known as \"ClickFix,\" enables attackers to bypass web security filters by having users willingly initiate the download of a malicious installer.", "modified": "2026-04-11T10:19:34.171000", "created": "2026-03-12T10:15:16.344000", "tags": [ "threatdown", "castlerat", "deno", "state", "detection", "cybercrime has", "machinescale", "deno javascript", "response", "partners", "malware", "service", "verify", "discord", "invisible", "powershell", "python", "nebula" ], "references": [ "https://www.threatdown.com/blog/castlerat-cyber-attack-is-the-first-to-abuse-deno-javascript-runtime-to-evade-enterprise-security/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CastleRAT", "display_name": "CastleRAT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b9c7ae27bda6117e8e2bf8", "name": "CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security", "description": "", "modified": "2026-04-10T11:44:23.220000", "created": "2026-03-17T21:29:18.497000", "tags": [ "clickfix", "social engineering", "castlerat", "deno", "javascript", "api abuse" ], "references": [ "https://www.threatdown.com/blog/castlerat-cyber-attack-is-the-first-to-abuse-deno-javascript-runtime-to-evade-enterprise-security/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CastleRAT", "display_name": "CastleRAT", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69b14da6cb1bf921c7ac6d22", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2d25f22157c4f01760c98", "name": "Threat Intelligence Report: MANGO SANDSTORM Dindoor / Fakeset Campaign", "description": "In February 2026, the Iranian cyber espionage group MuddyWater, also known as Mango Sandstorm, executed a targeted intrusion campaign against select organizations in the U.S., Israel, and Canada. The campaign, revealed in March 2026, employed two primary malware tools: Dindoor, a backdoor utilizing the Deno runtime, and Fakeset, a Python-based implant. This operation was marked by the use of legitimate tools and cloud services to ensure persistent access and facilitate data exfiltration, aligning closely with Iranian state interests, notably the Ministry of Intelligence and Security (MOIS).", "modified": "2026-03-24T18:05:19.124000", "created": "2026-03-24T18:05:19.124000", "tags": [ "muddywater", "deno runtime", "powershell", "march", "dindoor", "fakeset", "rclone", "python", "analysis", "opens", "february", "mercury", "powgoop", "powerstats", "malware", "encrypt", "facebook", "muddyviper" ], "references": [ "https://krypt3ia.wordpress.com/2026/03/20/threat-intelligence-report-mango-sandstorm-indoor-fakeset-activity/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [ { "id": "MuddyViper", "display_name": "MuddyViper", "target": null }, { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "MuddyWater", "display_name": "MuddyWater", "target": null } ], "attack_ids": [ { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [ "Government", "Telecommunications", "Defense", "Energy", "Financial", "Transportation" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 25, "domain": 3 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 174, "modified_text": "33 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997f55e26fbbb0ae347e1ec", "name": "Botnet_C2 | Feb 20, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 20, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-22T05:05:35.370000", "created": "2026-02-20T05:47:10.246000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 355, "domain": 261, "URL": 298 }, "indicator_count": 914, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699762f427fe02bf824192ca", "name": "Botnet_C2 | Feb 20, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 20, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T19:09:28.611000", "created": "2026-02-19T19:22:28.453000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 342, "domain": 252, "URL": 299 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699723c55f6e92db33521fe5", "name": "Botnet_C2 | Feb 20, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 20, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T14:01:42.464000", "created": "2026-02-19T14:52:53.642000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 253, "hostname": 335, "URL": 299 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997049690cb8412e84a63f0", "name": "Botnet_C2 | Feb 19, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 19, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T12:15:40.099000", "created": "2026-02-19T12:39:50.752000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 245, "hostname": 334, "URL": 300 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996eec8a83ff76c8fe7dc9e", "name": "ThreatFix_domain_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:06:48.676000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 3, "domain": 2634, "hostname": 1822 }, "indicator_count": 4471, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69962e6338bcfc329ffecba6", "name": "Botnet_C2 | Feb 19, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 19, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-20T21:04:33.994000", "created": "2026-02-18T21:25:55.254000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 345, "URL": 303, "domain": 254 }, "indicator_count": 902, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69956f84af1f40702ddc40f2", "name": "Botnet_C2 | Feb 18, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-20T07:00:55.583000", "created": "2026-02-18T07:51:32.433000", "tags": [ "botnet_c2", "threatfox", "feodo-tracker" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 365, "domain": 339, "URL": 283 }, "indicator_count": 987, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6995562720907e73e033ebd3", "name": "Botnet_C2 | Feb 18, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-20T06:24:49.670000", "created": "2026-02-18T06:03:19.513000", "tags": [ "botnet_c2", "threatfox", "feodo-tracker" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 283, "domain": 348, "hostname": 368 }, "indicator_count": 999, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbf7c4236a13aad8e68616", "name": "LeakNet ClickFix-Driven Ransomware Campaign", "description": "", "modified": "2026-03-19T13:19:00.182000", "created": "2026-03-19T13:19:00.182000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 489, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ae390cbed6e5f95e62c3ff", "name": "IOC - Iranian APT on Networks of U.S. Bank, Airport, Software Company", "description": "", "modified": "2026-03-09T03:05:48.882000", "created": "2026-03-09T03:05:48.882000", "tags": [ "pdq", "critical infrastructure", "u.s. targets", "httpsnoop", "fakeset", "iranian apt", "espionage", "dindoor", "backdoor", "cyberattack", "bibiwiper", "darkcomp", "phoenix", "cve-2023-6895", "cve-2017-7921", "stagecomp", "ddos", "data exfiltration", "apt", "geopolitical conflict" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "public": 1, "adversary": "Seedworm", "targeted_countries": [ "United States of America", "Canada", "Israel" ], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "Fakeset", "display_name": "Fakeset", "target": null }, { "id": "Stagecomp", "display_name": "Stagecomp", "target": null }, { "id": "Darkcomp", "display_name": "Darkcomp", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null }, { "id": "PDQ", "display_name": "PDQ", "target": null }, { "id": "BibiWiper", "display_name": "BibiWiper", "target": null }, { "id": "HTTPSnoop", "display_name": "HTTPSnoop", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Defense", "Aerospace", "Government", "Transportation", "Technology", "Energy" ], "TLP": "white", "cloned_from": "69a9e3eea1d0b6fa8bf0f06d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "domain": 3, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "48 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acdc8678f67a8a346af16e", "name": "Iranian APT on Networks of U.S. Bank, Airport, Software Company", "description": "", "modified": "2026-03-08T02:18:46.686000", "created": "2026-03-08T02:18:46.686000", "tags": [ "pdq", "critical infrastructure", "u.s. targets", "httpsnoop", "fakeset", "iranian apt", "espionage", "dindoor", "backdoor", "cyberattack", "bibiwiper", "darkcomp", "phoenix", "cve-2023-6895", "cve-2017-7921", "stagecomp", "ddos", "data exfiltration", "apt", "geopolitical conflict" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "public": 1, "adversary": "Seedworm", "targeted_countries": [ "United States of America", "Canada", "Israel" ], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "Fakeset", "display_name": "Fakeset", "target": null }, { "id": "Stagecomp", "display_name": "Stagecomp", "target": null }, { "id": "Darkcomp", "display_name": "Darkcomp", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null }, { "id": "PDQ", "display_name": "PDQ", "target": null }, { "id": "BibiWiper", "display_name": "BibiWiper", "target": null }, { "id": "HTTPSnoop", "display_name": "HTTPSnoop", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Defense", "Aerospace", "Government", "Transportation", "Technology", "Energy" ], "TLP": "white", "cloned_from": "69a9e3eea1d0b6fa8bf0f06d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "domain": 3, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "49 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ac66128f7d265e2d1d986f", "name": "Seedworm Targets Critical Sectors Using Latest Backdoors", "description": "Seedworm compromises systems in critical sectors including airports and governments. The threat actor was observed to use state of the art backdoors named Dindoor and Fakeset that were signed with valid certificates.", "modified": "2026-03-07T17:53:22.170000", "created": "2026-03-07T17:53:22.170000", "tags": [ "ctia type", "date", "march", "time", "https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 25, "domain": 3 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 489, "modified_text": "50 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996bc06cef9184978ed3d7c", "name": "PreCog Sweep - 2026-02-19 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T07:30:14.671000", "created": "2026-02-19T07:30:14.671000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 275, "URL": 40, "domain": 42 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996b4fc635165f7fbdb9e88", "name": "PreCog Sweep - 2026-02-19 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T07:00:12.716000", "created": "2026-02-19T07:00:12.716000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 239, "URL": 39, "domain": 56 }, "indicator_count": 334, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996adf71f12c22bd1234c45", "name": "PreCog Sweep - 2026-02-19 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T06:30:15.433000", "created": "2026-02-19T06:30:15.433000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 238, "URL": 39, "domain": 63 }, "indicator_count": 340, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996a6ee991133298aaedea9", "name": "PreCog Sweep - 2026-02-19 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T06:00:14.565000", "created": "2026-02-19T06:00:14.565000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 216, "domain": 64, "URL": 38 }, "indicator_count": 318, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69969fe73f5861993ed36925", "name": "PreCog Sweep - 2026-02-19 05h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T05:30:15.272000", "created": "2026-02-19T05:30:15.272000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 217, "domain": 64, "URL": 38 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699698dd0dd2035edce2d520", "name": "PreCog Sweep - 2026-02-19 05h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T05:00:13.645000", "created": "2026-02-19T05:00:13.645000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 213, "domain": 75, "URL": 39 }, "indicator_count": 327, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699691d69d2bb65640b1448c", "name": "PreCog Sweep - 2026-02-19 04h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T04:30:14.804000", "created": "2026-02-19T04:30:14.804000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 216, "domain": 75, "URL": 39 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69968ad094f9f6ec65cadc3b", "name": "PreCog Sweep - 2026-02-19 04h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T04:00:16.232000", "created": "2026-02-19T04:00:16.232000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 216, "domain": 75, "URL": 39 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699683cdaeb72809ceee9130", "name": "PreCog Sweep - 2026-02-19 03h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T03:30:21.942000", "created": "2026-02-19T03:30:21.942000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 216, "domain": 75, "URL": 39 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69967cc0dafbd6b40cd787a7", "name": "PreCog Sweep - 2026-02-19 03h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T03:00:16.555000", "created": "2026-02-19T03:00:16.555000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 213, "domain": 76, "URL": 39 }, "indicator_count": 328, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699675b7522b7ba0d1fc9928", "name": "PreCog Sweep - 2026-02-19 02h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T02:30:15.260000", "created": "2026-02-19T02:30:15.260000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 216, "domain": 76, "URL": 39 }, "indicator_count": 331, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69966eaee57f25c724fc531e", "name": "PreCog Sweep - 2026-02-19 02h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T02:00:14.709000", "created": "2026-02-19T02:00:14.709000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 216, "domain": 76, "URL": 39 }, "indicator_count": 331, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699667a5425494c6be113fea", "name": "PreCog Sweep - 2026-02-19 01h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T01:30:13.588000", "created": "2026-02-19T01:30:13.588000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 217, "domain": 76, "URL": 39 }, "indicator_count": 332, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996609f26998b8cd7527dec", "name": "PreCog Sweep - 2026-02-19 01h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T01:00:15.717000", "created": "2026-02-19T01:00:15.717000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 217, "domain": 76, "URL": 39 }, "indicator_count": 332, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699659978ad0a6f720fab965", "name": "PreCog Sweep - 2026-02-19 00h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T00:30:15.301000", "created": "2026-02-19T00:30:15.301000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 216, "domain": 78, "URL": 39 }, "indicator_count": 333, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69965291f79c41d29edc97ca", "name": "PreCog Sweep - 2026-02-19 00h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-19T00:00:17.813000", "created": "2026-02-19T00:00:17.813000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 211, "domain": 76, "URL": 40 }, "indicator_count": 327, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69964b8b06f1617346748355", "name": "PreCog Sweep - 2026-02-18 23h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-18T23:30:19.161000", "created": "2026-02-18T23:30:19.161000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 213, "domain": 76, "URL": 40 }, "indicator_count": 329, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996448341c518c749220789", "name": "PreCog Sweep - 2026-02-18 23h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-18T23:00:19.723000", "created": "2026-02-18T23:00:19.723000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 79, "hostname": 214, "URL": 40 }, "indicator_count": 333, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat", "https://www.jumpsec.com/guides/chainshell-muddywater-russian-criminal-infrastructure/", "IOCs.2026.1.csv", "https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/", "IOCs.2026.4.csv", "https://ltna.com.au/cyber", "IOCs.2026.2.csv", "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us", "https://github.com/pduggusa/dugganusa-research", "https://www.threatdown.com/blog/castlerat-cyber-attack-is-the-first-to-abuse-deno-javascript-runtime-to-evade-enterprise-security/", "IOCs.April.pdf", "https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis", "https://krypt3ia.wordpress.com/2026/03/20/threat-intelligence-report-mango-sandstorm-indoor-fakeset-activity/" ], "related": { "alienvault": { "adversary": [ "LeakNet", "MuddyWater" ], "malware_families": [ "Fakeset", "Bibiwiper", "Stagecomp", "Dindoor", "Tsundere botnet", "Castleloader", "Chainshell", "Darkcomp", "Phoenix", "Dinodance", "Pdq", "Httpsnoop", "Castlerat" ], "industries": [ "Finance", "Transportation", "Aerospace", "Energy", "Defense", "Government", "Technology" ] }, "other": { "adversary": [ "MuddyWater", "Seedworm", "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "LeakNet" ], "malware_families": [ "Fakeset", "Bibiwiper", "Tsundere", "Stagecomp", "Dindoor", "Deno", "Darkcomp", "Phoenix", "Httpsnoop", "Dinodance", "Pdq", "Qilin", "Muddywater", "Muddyviper", "Ransomhub", "Castlerat" ], "industries": [ "Telecommunications", "Transportation", "Finance", "Financial", "Aerospace", "Energy", "Government", "Defense", "Financial services", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69ea29a2df2a3f26872b6e15", "name": "DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers", "description": "DinDoor is a Deno-based backdoor delivered via MSI files that exploits the Deno runtime to execute obfuscated JavaScript for command and control communications and system fingerprinting. Two analyzed samples show different execution behaviors: one writes JavaScript to disk while the other executes entirely in memory. Both samples use identical fingerprinting algorithms generating unique victim identifiers. One sample contains an embedded JWT exposing campaign metadata and the domain serialmenot[.]com, identified as multi-tenant infrastructure serving multiple threat actors including state-sponsored groups and cybercriminals. Analysis of HTTP response headers enabled identification of 20 active C2 servers across 15 autonomous systems, many using bulletproof hosting providers. The malicious infrastructure uses Caddy proxy with distinctive headers allowing network-based detection.", "modified": "2026-04-24T09:10:39.383000", "created": "2026-04-23T14:16:02.952000", "tags": [ "castleloader", "deno runtime", "caddy proxy", "tsundere botnet" ], "references": [ "https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "United States of America", "Russian Federation" ], "malware_families": [ { "id": "DinDoor", "display_name": "DinDoor", "target": null }, { "id": "Tsundere Botnet", "display_name": "Tsundere Botnet", "target": null }, { "id": "CastleLoader", "display_name": "CastleLoader", "target": null }, { "id": "CastleRAT", "display_name": "CastleRAT", "target": null }, { "id": "ChainShell", "display_name": "ChainShell", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 17, "URL": 1, "domain": 11, "hostname": 4 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 378952, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e2417dcac9587a626c98a2", "name": "Iranian APT Seedworm Targets Global Organizations via Microsoft Teams", "description": "In late February 2026, following escalating Middle East tensions and coordinated military actions, Iranian APT group Seedworm launched sophisticated social engineering attacks via Microsoft Teams. Attackers impersonated IT support personnel using deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The campaign deployed a custom backdoor called Dindoor, which leveraged legitimate Deno runtime to execute obfuscated payloads in-memory, minimizing detection. The operation included multiple components for persistence, command-and-control communications, and data exfiltration. Infrastructure overlapped with previously reported MuddyWater operations. The attack demonstrates the group's evolution in using collaboration platforms as initial access vectors while combining dual-use tooling with living-off-the-land techniques to bypass traditional security controls.", "modified": "2026-04-20T11:06:56.073000", "created": "2026-04-17T14:19:41.824000", "tags": [ "muddywater infrastructure", "in-memory execution", "seedworm", "microsoft teams", "dindoor", "social engineering", "dindoor backdoor", "iran apt", "deno runtime", "dinodance" ], "references": [ "https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "DINODANCE", "display_name": "DINODANCE", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 26, "URL": 2, "domain": 1, "hostname": 2 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 378951, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ba8419321e1d3c9be7c4cc", "name": "Casting a Wider Net: Scaling Threat", "description": "LeakNet, a ransomware operator, has expanded its initial access methods by utilizing ClickFix lures on compromised websites and implementing a new Deno-based, in-memory loader. The group has shifted from relying on initial access brokers to running its own campaigns. LeakNet's post-exploitation playbook remains consistent, involving jli.dll side-loading, PsExec-based lateral movement, and S3 bucket payload staging. The Deno loader executes base64-encoded payloads in memory, making detection challenging for traditional security tools. Defenders are advised to focus on behavioral signals and implement measures such as blocking newly registered domains, restricting Win-R access, and limiting PsExec usage to authorized administrators.", "modified": "2026-04-17T10:17:31.095000", "created": "2026-03-18T10:53:13.088000", "tags": [ "side-loading", "s3 bucket", "lateral movement", "clickfix", "deno", "social engineering", "in-memory execution", "ransomware", "psexec" ], "references": [ "https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat" ], "public": 1, "adversary": "LeakNet", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 11, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 378952, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b14da6cb1bf921c7ac6d22", "name": "CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security", "description": "A sophisticated infection chain has been discovered that installs CastleRAT malware without leaving traces on disk. The attack uniquely abuses the Deno runtime as a malicious framework, combining social engineering, steganography, and in-memory execution to evade detection. The process involves tricking users into executing a command, installing Deno, running obfuscated JavaScript, and decoding a payload hidden in a JPEG image. CastleRAT then gains total control, performing host fingerprinting, keylogging, clipboard hijacking, digital identity theft, and audio/video surveillance. This campaign demonstrates the evolution of malware towards invisibility and the need for advanced endpoint behavioral monitoring to detect such threats.", "modified": "2026-04-10T11:44:23.220000", "created": "2026-03-11T11:10:30.530000", "tags": [ "clickfix", "social engineering", "castlerat", "deno", "javascript", "api abuse" ], "references": [ "https://www.threatdown.com/blog/castlerat-cyber-attack-is-the-first-to-abuse-deno-javascript-runtime-to-evade-enterprise-security/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CastleRAT", "display_name": "CastleRAT", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 378952, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a9e3eea1d0b6fa8bf0f06d", "name": "Iranian APT on Networks of U.S. Bank, Airport, Software Company", "description": "Iranian APT group Seedworm has been active on networks of multiple U.S. companies since February 2026, targeting a bank, airport, software company, and NGOs. The group deployed new backdoors named Dindoor and Fakeset, signed with certificates previously linked to Seedworm. The activity occurs amid escalating tensions between the U.S., Israel, and Iran. Seedworm, known for espionage and information gathering, has broadened its scope to target various sectors globally. The article discusses recent Iranian cyber activities, potential future threats, and provides recommendations for defenders to prepare against DDoS, credential attacks, leaks, critical infrastructure attacks, and destructive operations.", "modified": "2026-03-06T11:28:56.048000", "created": "2026-03-05T20:13:34.917000", "tags": [ "pdq", "critical infrastructure", "u.s. targets", "httpsnoop", "fakeset", "iranian apt", "espionage", "dindoor", "backdoor", "cyberattack", "bibiwiper", "darkcomp", "phoenix", "cve-2023-6895", "cve-2017-7921", "stagecomp", "ddos", "data exfiltration", "apt", "geopolitical conflict" ], "references": [ "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "United States of America", "Canada", "Israel" ], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "Fakeset", "display_name": "Fakeset", "target": null }, { "id": "Stagecomp", "display_name": "Stagecomp", "target": null }, { "id": "Darkcomp", "display_name": "Darkcomp", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null }, { "id": "PDQ", "display_name": "PDQ", "target": null }, { "id": "BibiWiper", "display_name": "BibiWiper", "target": null }, { "id": "HTTPSnoop", "display_name": "HTTPSnoop", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Defense", "Aerospace", "Government", "Transportation", "Technology", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "domain": 3, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 378954, "modified_text": "51 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ea03475dab7fe7a9ad2feb", "name": "DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers", "description": "Two samples of DinDoor malware were uploaded to public repositories, but they did not share code, according to research published by the security firm Hunt.io on Tuesday.. and published on Wednesday.", "modified": "2026-04-23T11:32:23.410000", "created": "2026-04-23T11:32:23.410000", "tags": [ "dindoor", "na na", "nl ip", "de ip", "deno", "caddy", "powershell", "muddywater", "jumpsec", "bl networks", "castleloader", "loader", "python", "february", "copy", "demo", "prospero", "encrypt", "path", "tsundere" ], "references": [ "https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Deno", "display_name": "Deno", "target": null }, { "id": "DinDoor", "display_name": "DinDoor", "target": null }, { "id": "MuddyWater", "display_name": "MuddyWater", "target": null }, { "id": "Tsundere", "display_name": "Tsundere", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Financial Services" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 20, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 1, "domain": 13, "hostname": 4 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 849, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e0c75ee5ca57ac39bdda56", "name": "EbeeApril2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-22T23:34:39.020000", "created": "2026-04-16T11:26:22.347000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 44, "CVE": 8, "FileHash-MD5": 223, "FileHash-SHA1": 235, "FileHash-SHA256": 214, "URL": 54, "domain": 70, "hostname": 64 }, "indicator_count": 912, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e67e0a9ba34ad5f57c143e", "name": "Iranian APT Seedworm Targets Global Organizations via Microsoft Teams", "description": "In late February 2026, following escalating Middle East tensions and coordinated military actions, Iranian APT group Seedworm launched sophisticated social engineering attacks via Microsoft Teams. Attackers impersonated IT support personnel using deceptive Microsoft 365 tenant domains to convince victims to execute malicious MSI installers. The campaign deployed a custom backdoor called Dindoor, which leveraged legitimate Deno runtime to execute obfuscated payloads in-memory, minimizing detection. The operation included multiple components for persistence, command-and-control communications, and data exfiltration. Infrastructure overlapped with previously reported MuddyWater operations.", "modified": "2026-04-22T19:32:00.233000", "created": "2026-04-20T19:27:06.899000", "tags": [ "muddywater infrastructure", "in-memory execution", "seedworm", "microsoft teams", "dindoor", "social engineering", "dindoor backdoor", "iran apt", "deno runtime", "dinodance" ], "references": [ "https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "DINODANCE", "display_name": "DINODANCE", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "69e2417dcac9587a626c98a2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 26, "URL": 2, "domain": 1, "hostname": 2 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e6fb820c2c73386320bce2", "name": "Iranian APT Seedworm Targets Global Organizations via Microsoft Teams", "description": "", "modified": "2026-04-21T04:22:26.449000", "created": "2026-04-21T04:22:26.449000", "tags": [ "muddywater infrastructure", "in-memory execution", "seedworm", "microsoft teams", "dindoor", "social engineering", "dindoor backdoor", "iran apt", "deno runtime", "dinodance" ], "references": [ "https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [ { "id": "Dindoor", "display_name": "Dindoor", "target": null }, { "id": "DINODANCE", "display_name": "DINODANCE", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69e2417dcac9587a626c98a2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 26, "URL": 2, "domain": 1, "hostname": 2 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "serialmenot.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "serialmenot.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1777226917.2300382 }