{ "type": "Domain", "indicator": "serverconect.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/serverconect.cc", "alexa": "http://www.alexa.com/siteinfo/serverconect.cc", "indicator": "serverconect.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4247158512, "indicator": "serverconect.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6a09a5e6794daa366c9ed8b6", "name": "Fake OpenClaw Installer Used to Steal Crypto Wallets and Password Managers", "description": "", "modified": "2026-05-17T11:26:30.062000", "created": "2026-05-17T11:26:30.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 12, "IPv4": 7, "domain": 7, "hostname": 2 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04e457fd36871681034888", "name": "bhishmarlodndsaa", "description": "The full text of the text above the full translation of this page: www.beuskq/raw..com. and here is a full list of text-based descriptions:-.", "modified": "2026-05-13T20:51:35.181000", "created": "2026-05-13T20:51:35.181000", "tags": [ "indicator name", "ydznvjljcz6f7" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 16, "FileHash-MD5": 81, "FileHash-SHA1": 46, "FileHash-SHA256": 56, "URL": 3, "domain": 6, "hostname": 4 }, "indicator_count": 212, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03bf4773b48c0ba5708a9c", "name": "hjkhhkjhjhkhkj", "description": "The following is the full text of the text-based code that has been used to identify and identify people using the word \"deepseek\" as a means of identifying and identifying them from the public.", "modified": "2026-05-13T00:01:11.186000", "created": "2026-05-13T00:01:11.186000", "tags": [ "indicator name", "ydznvjljcz6f7", "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 153, "FileHash-MD5": 186, "FileHash-SHA1": 85, "FileHash-SHA256": 81, "IPv4": 657, "domain": 211, "hostname": 561 }, "indicator_count": 1934, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01c0ba11024cf6c7cad206", "name": "OpenClaw\u2019s Hologram: Fake Installer Ships Rust Infostealer", "description": "A look back at some of the key events in the recent months, as well as the findings of Netskope Threat Labs' analysis of a fake OpenClaw installer campaign that has been active since February 2026.", "modified": "2026-05-11T11:42:50.647000", "created": "2026-05-11T11:42:50.647000", "tags": [ "hologram", "hookdeck", "azure devops", "hologram https", "netskope", "february", "pathfinder", "vini egerland", "ledger live", "netskope threat", "april", "telegram", "vidar", "ghostsocks", "rust", "defender", "phantom", "wave", "music", "powershell", "loader", "global", "back", "mb", "pe", "huntress" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MB", "display_name": "MB", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 7, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 12, "URL": 3, "domain": 11, "hostname": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0143fbf456973ed639a693", "name": "IOC - OpenClaw\u2019s Hologram: Fake Installer Ships Rust Infostealer", "description": "Netskope Threat Labs has found a fake OpenClaw installer delivering red-team-grade capabilities\u2014all pointed at stealing credentials from over 250 crypto wallet and password manager extensions. The dropper\u2019s manifest doesn\u2019t hide the intent: \u201cHologram \u2013 Decoy entity generator for tactical misdirection.\u201d", "modified": "2026-05-11T02:50:35.847000", "created": "2026-05-11T02:50:35.847000", "tags": [ "rust", "packer c2", "packer https", "pe loader", "hologram system", "hologram c2", "telegram bot", "azure devops", "c2 config", "pathfinder", "c2 beacon", "hologram", "delivery site", "c2 relay", "payload", "loader" ], "references": [ "https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 12, "IPv4": 7, "URL": 2, "domain": 9, "hostname": 2 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d41cc8101d74a43d5af53b", "name": "uyiygygyuguhiui", "description": "Hundreds of thousands of people have signed an online petition calling for the server to be shut down in the UK and Ireland, but what does the public say about its use and how much it will cost?", "modified": "2026-05-06T20:14:09.101000", "created": "2026-04-06T20:51:20.071000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 156, "FileHash-SHA1": 156, "FileHash-SHA256": 156, "domain": 2 }, "indicator_count": 470, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69afd0fc5b33c1c7d9960106", "name": "IOC - \u201cMalware, from the Outside!\u201d: How a Threat Actor Used Fake OpenClaw Installers to Infect Systems with GhostSocks and Information Stealers", "description": "Information stealers continue to be an initial access vector for severe attacks against publicly facing systems, such as the Snowflake customer database compromise in 2024, and a Romanian oil pipeline operator compromise in 2026. This blog details an investigation into malicious GitHub repositories posing as OpenClaw installers that were available between the 2nd and 10th of February 2026. The OpenClaw installers were fake with low detection rates, and distributed information stealers that used a novel packer called Stealth Packer.", "modified": "2026-04-09T08:02:04.521000", "created": "2026-03-10T08:06:20.017000", "tags": [ "ip address", "steam profile", "backgroundtask", "appdata", "domain na", "url na", "vidar c2", "na mutex", "https", "type sha256", "global", "ghostsocks" ], "references": [ "https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "URL": 2, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ae831a6b9ed926f04051ff", "name": "Malware, from the Outside!: How a Threat Actor Used Fake OpenClaw Installers to Infect Systems with GhostSocks and Information Stealers", "description": "Between February 2 and 10, 2026, threat actors utilized malicious GitHub repositories masquerading as OpenClaw installers to distribute information stealers, notably employing a novel malware packer called Stealth Packer. These malicious installers were low-detection exploits designed to target users attempting to install OpenClaw across both Windows and macOS systems. Specifically, the malware facilitated information theft and allowed for circumvention of multi-factor authentication (MFA) and anti-fraud measures using a tool known as GhostSocks, which converts compromised systems into proxies for unauthorized account access.", "modified": "2026-04-08T08:31:51.524000", "created": "2026-03-09T08:21:46.967000", "tags": [ "strong", "huntress", "openclaw", "github", "ghostsocks", "openclawbot", "fake openclaw", "microsoft", "february", "learn", "malware", "virustotal", "outside", "infect", "stealer", "amos", "antivm", "telegram", "service", "protect", "grok", "rust", "macos", "terminal", "desktop", "ditto", "installer", "global", "hunt", "stealth packer", "hudson rock", "moltbot", "vidar", "qilin", "nexus threat", "atomic macos", "blackbasta", "purelogs", "ip address", "steam profile", "backgroundtask", "appdata", "domain na", "url na", "vidar c2", "na mutex", "https", "iocs" ], "references": [ "https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Stealth Packer", "display_name": "Stealth Packer", "target": null }, { "id": "GhostSocks", "display_name": "GhostSocks", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 10, "URL": 4, "domain": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer", "IOCs.csv", "https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer", "IOCs.2026.1.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053" ], "malware_families": [ "Mb", "Stealth packer", "Huntress", "Vidar", "Ghostsocks", "Pe" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6a09a5e6794daa366c9ed8b6", "name": "Fake OpenClaw Installer Used to Steal Crypto Wallets and Password Managers", "description": "", "modified": "2026-05-17T11:26:30.062000", "created": "2026-05-17T11:26:30.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 12, "IPv4": 7, "domain": 7, "hostname": 2 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04e457fd36871681034888", "name": "bhishmarlodndsaa", "description": "The full text of the text above the full translation of this page: www.beuskq/raw..com. and here is a full list of text-based descriptions:-.", "modified": "2026-05-13T20:51:35.181000", "created": "2026-05-13T20:51:35.181000", "tags": [ "indicator name", "ydznvjljcz6f7" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 16, "FileHash-MD5": 81, "FileHash-SHA1": 46, "FileHash-SHA256": 56, "URL": 3, "domain": 6, "hostname": 4 }, "indicator_count": 212, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03bf4773b48c0ba5708a9c", "name": "hjkhhkjhjhkhkj", "description": "The following is the full text of the text-based code that has been used to identify and identify people using the word \"deepseek\" as a means of identifying and identifying them from the public.", "modified": "2026-05-13T00:01:11.186000", "created": "2026-05-13T00:01:11.186000", "tags": [ "indicator name", "ydznvjljcz6f7", "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 153, "FileHash-MD5": 186, "FileHash-SHA1": 85, "FileHash-SHA256": 81, "IPv4": 657, "domain": 211, "hostname": 561 }, "indicator_count": 1934, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01c0ba11024cf6c7cad206", "name": "OpenClaw\u2019s Hologram: Fake Installer Ships Rust Infostealer", "description": "A look back at some of the key events in the recent months, as well as the findings of Netskope Threat Labs' analysis of a fake OpenClaw installer campaign that has been active since February 2026.", "modified": "2026-05-11T11:42:50.647000", "created": "2026-05-11T11:42:50.647000", "tags": [ "hologram", "hookdeck", "azure devops", "hologram https", "netskope", "february", "pathfinder", "vini egerland", "ledger live", "netskope threat", "april", "telegram", "vidar", "ghostsocks", "rust", "defender", "phantom", "wave", "music", "powershell", "loader", "global", "back", "mb", "pe", "huntress" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MB", "display_name": "MB", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 7, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 12, "URL": 3, "domain": 11, "hostname": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0143fbf456973ed639a693", "name": "IOC - OpenClaw\u2019s Hologram: Fake Installer Ships Rust Infostealer", "description": "Netskope Threat Labs has found a fake OpenClaw installer delivering red-team-grade capabilities\u2014all pointed at stealing credentials from over 250 crypto wallet and password manager extensions. The dropper\u2019s manifest doesn\u2019t hide the intent: \u201cHologram \u2013 Decoy entity generator for tactical misdirection.\u201d", "modified": "2026-05-11T02:50:35.847000", "created": "2026-05-11T02:50:35.847000", "tags": [ "rust", "packer c2", "packer https", "pe loader", "hologram system", "hologram c2", "telegram bot", "azure devops", "c2 config", "pathfinder", "c2 beacon", "hologram", "delivery site", "c2 relay", "payload", "loader" ], "references": [ "https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 12, "IPv4": 7, "URL": 2, "domain": 9, "hostname": 2 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d41cc8101d74a43d5af53b", "name": "uyiygygyuguhiui", "description": "Hundreds of thousands of people have signed an online petition calling for the server to be shut down in the UK and Ireland, but what does the public say about its use and how much it will cost?", "modified": "2026-05-06T20:14:09.101000", "created": "2026-04-06T20:51:20.071000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 156, "FileHash-SHA1": 156, "FileHash-SHA256": 156, "domain": 2 }, "indicator_count": 470, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69afd0fc5b33c1c7d9960106", "name": "IOC - \u201cMalware, from the Outside!\u201d: How a Threat Actor Used Fake OpenClaw Installers to Infect Systems with GhostSocks and Information Stealers", "description": "Information stealers continue to be an initial access vector for severe attacks against publicly facing systems, such as the Snowflake customer database compromise in 2024, and a Romanian oil pipeline operator compromise in 2026. This blog details an investigation into malicious GitHub repositories posing as OpenClaw installers that were available between the 2nd and 10th of February 2026. The OpenClaw installers were fake with low detection rates, and distributed information stealers that used a novel packer called Stealth Packer.", "modified": "2026-04-09T08:02:04.521000", "created": "2026-03-10T08:06:20.017000", "tags": [ "ip address", "steam profile", "backgroundtask", "appdata", "domain na", "url na", "vidar c2", "na mutex", "https", "type sha256", "global", "ghostsocks" ], "references": [ "https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "URL": 2, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ae831a6b9ed926f04051ff", "name": "Malware, from the Outside!: How a Threat Actor Used Fake OpenClaw Installers to Infect Systems with GhostSocks and Information Stealers", "description": "Between February 2 and 10, 2026, threat actors utilized malicious GitHub repositories masquerading as OpenClaw installers to distribute information stealers, notably employing a novel malware packer called Stealth Packer. These malicious installers were low-detection exploits designed to target users attempting to install OpenClaw across both Windows and macOS systems. Specifically, the malware facilitated information theft and allowed for circumvention of multi-factor authentication (MFA) and anti-fraud measures using a tool known as GhostSocks, which converts compromised systems into proxies for unauthorized account access.", "modified": "2026-04-08T08:31:51.524000", "created": "2026-03-09T08:21:46.967000", "tags": [ "strong", "huntress", "openclaw", "github", "ghostsocks", "openclawbot", "fake openclaw", "microsoft", "february", "learn", "malware", "virustotal", "outside", "infect", "stealer", "amos", "antivm", "telegram", "service", "protect", "grok", "rust", "macos", "terminal", "desktop", "ditto", "installer", "global", "hunt", "stealth packer", "hudson rock", "moltbot", "vidar", "qilin", "nexus threat", "atomic macos", "blackbasta", "purelogs", "ip address", "steam profile", "backgroundtask", "appdata", "domain na", "url na", "vidar c2", "na mutex", "https", "iocs" ], "references": [ "https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Stealth Packer", "display_name": "Stealth Packer", "target": null }, { "id": "GhostSocks", "display_name": "GhostSocks", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 10, "URL": 4, "domain": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "serverconect.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "serverconect.cc", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780236294.8604264 }