{ "type": "Domain", "indicator": "serverdata-cloud.cloud", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/serverdata-cloud.cloud", "alexa": "http://www.alexa.com/siteinfo/serverdata-cloud.cloud", "indicator": "serverdata-cloud.cloud", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4100923933, "indicator": "serverdata-cloud.cloud", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "68f856d14d16bb8375c07868", "name": "Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe", "description": "A new malware loader called Caminho, originating from Brazil, has been identified using steganography to hide .NET payloads in image files hosted on legitimate platforms. Active since March 2025, the campaign has evolved significantly, delivering various malware types across South America, Africa, and Eastern Europe. The multi-stage infection chain begins with phishing emails containing malicious scripts, leading to the download of steganographic images. The Caminho loader extracts and executes payloads in memory, establishing persistence through scheduled tasks. Analysis reveals consistent patterns and Portuguese language artifacts, indicating a Loader-as-a-Service model. The operation targets multiple industries opportunistically, using bulletproof hosting for command and control.", "modified": "2025-10-22T12:08:27.531000", "created": "2025-10-22T04:00:17.104000", "tags": [ "africa", "eastern europe", "steganography", "loader-as-a-service", "katz stealer", "brazil", "south america", "remcos rat", "xworm", "fileless execution", "caminho loader" ], "references": [ "https://arcticwolf.com/resources/blog/brazilian-caminho-loader-employs-lsb-steganography-to-deliver-multiple-malware-families" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "Poland", "South Africa", "Ukraine" ], "malware_families": [ { "id": "Caminho Loader", "display_name": "Caminho Loader", "target": null }, { "id": "REMCOS RAT", "display_name": "REMCOS RAT", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Katz Stealer", "display_name": "Katz Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 7, "FileHash-SHA256": 23, "domain": 2 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 377566, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675c61d2a8e4554b9985027", "name": "BLOCK_2024", "description": "", "modified": "2026-02-04T19:03:11.880000", "created": "2024-06-21T18:27:41.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e899612f5527bad9d4e5a8", "export_count": 6863628, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2306, "FileHash-MD5": 4833, "URL": 1674, "hostname": 1302, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3524, "CIDR": 19, "email": 190, "CVE": 4 }, "indicator_count": 24237, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69404b09d8296388596ecfa9", "name": "BLOCK_2025_DIC", "description": "", "modified": "2025-12-24T16:04:11.529000", "created": "2025-12-15T17:53:13.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2300, "FileHash-MD5": 4833, "URL": 1673, "hostname": 1297, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3235, "CIDR": 19, "email": 170, "CVE": 4 }, "indicator_count": 23916, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fede8bd76810fb0f85164b", "name": "IOC - Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe", "description": "Arctic Wolf Labs has identified and analyzed a new malware loader we\u2019re calling Caminho, a Brazilian-origin Loader-as-a-Service (LaaS) operation employing Least Significant Bit (LSB) steganography to conceal .NET payloads within image files hosted on legitimate platforms.\n\nActive since at least March 2025, with a significant operational evolution in June 2025, the campaign has delivered a variety of malware and infostealers such as REMCOS RAT, XWorm and Katz Stealer to victims within multiple industries across South America, Africa, and Eastern Europe.", "modified": "2025-11-26T02:00:44.846000", "created": "2025-10-27T02:52:59.731000", "tags": [ "file name", "type sha256", "remcos rat", "ukraine sample", "stage", "hta file", "persistence", "first png", "base64", "latest png", "lost", "august", "first", "malicious" ], "references": [ "https://arcticwolf.com/resources/blog/brazilian-caminho-loader-employs-lsb-steganography-to-deliver-multiple-malware-families/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 23, "domain": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 119, "modified_text": "144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fe0b464c16859b29c5a467", "name": "Caminho Malware Conceals Payloads Within Image Files", "description": "Sophisticated malware operation has emerged from Brazil which leverages\nadvanced steganographic techniques to hide malicious payloads within seemingly\nharmless image files.", "modified": "2025-11-25T11:01:31.826000", "created": "2025-10-26T11:51:34.654000", "tags": [ "https", "hashes", "urls", "update", "siem", "iocs", "conduct", "domains" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 23, "URL": 2, "domain": 4 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 486, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f9114c86c0defd1b41335e", "name": "Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe.", "description": "The Caminho Loader, identified by Arctic Wolf, is a sophisticated Brazilian-origin Loader-as-a-Service operation that employs Least Significant Bit (LSB) steganography to conceal malicious .NET payloads within image files hosted on legitimate platforms. Initial infection begins with spear-phishing emails that contain archived JavaScript or VBScript files, often using business-themed social engineering tactics. When executed, these scripts retrieve an obfuscated PowerShell payload that downloads steganographic images from services like archive.org, a digital archive known for its reputation and high availability.", "modified": "2025-11-21T17:01:54.389000", "created": "2025-10-22T17:15:56.137000", "tags": [ "javascript", "caminho loader", "remcos rat", "powershell", "arctic wolf", "june", "katz stealer", "hashes", "urls", "sha256", "august", "xworm", "wolf", "loader", "ukraine", "phishing", "first", "remcos", "hunt", "path", "stealer", "virustotal", "media", "click", "error", "example", "date", "rats", "easy", "code", "persistence", "lost", "bmp", "hta", "caminho", "katz" ], "references": [ "https://arcticwolf.com/resources/blog/brazilian-caminho-loader-employs-lsb-steganography-to-deliver-multiple-malware-families/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "South Africa", "Ukraine", "Poland", "United States of America" ], "malware_families": [ { "id": "Caminho Loader", "display_name": "Caminho Loader", "target": null }, { "id": "Caminho", "display_name": "Caminho", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Katz", "display_name": "Katz", "target": null }, { "id": "REMCOS", "display_name": "REMCOS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" } ], "industries": [ "Critical Infrastructure" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 18, "FileHash-SHA1": 17, "FileHash-SHA256": 23, "domain": 5 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688983a9da4a6cfb06b7ad1a", "name": "Twitter Feed - skocherhan - 29-07-2025", "description": "", "modified": "2025-08-29T02:02:59.406000", "created": "2025-07-30T02:30:01.211000", "tags": [ "Remcos", "ransomware", "phishing" ], "references": [ "https://x.com/skocherhan/status/1950029038061273582", "https://x.com/skocherhan/status/1950031015159709902", "https://x.com/skocherhan/status/1950038093622362344", "https://x.com/skocherhan/status/1950040753847111976", "https://x.com/skocherhan/status/1950042792568238440", "https://x.com/skocherhan/status/1950046504829296829", "https://x.com/skocherhan/status/1950070017652847079", "https://x.com/skocherhan/status/1950118653162066002", "https://x.com/skocherhan/status/1950132305613209931", "https://x.com/skocherhan/status/1950254961801220235", "https://x.com/skocherhan/status/1950283621476020337", "https://x.com/skocherhan/status/1950285958257029330", "https://x.com/skocherhan/status/1950289582601490865" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "domain": 8, "URL": 17, "hostname": 4 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/skocherhan/status/1950132305613209931", "https://x.com/skocherhan/status/1950038093622362344", "https://x.com/skocherhan/status/1950118653162066002", "https://x.com/skocherhan/status/1950285958257029330", "https://x.com/skocherhan/status/1950289582601490865", "https://x.com/skocherhan/status/1950283621476020337", "https://x.com/skocherhan/status/1950070017652847079", "https://x.com/skocherhan/status/1950029038061273582", "https://arcticwolf.com/resources/blog/brazilian-caminho-loader-employs-lsb-steganography-to-deliver-multiple-malware-families", "https://x.com/skocherhan/status/1950040753847111976", "https://x.com/skocherhan/status/1950031015159709902", "Oct week.3.pdf", "https://x.com/skocherhan/status/1950042792568238440", "https://x.com/skocherhan/status/1950046504829296829", "https://arcticwolf.com/resources/blog/brazilian-caminho-loader-employs-lsb-steganography-to-deliver-multiple-malware-families/", "https://x.com/skocherhan/status/1950254961801220235" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Katz stealer", "Caminho loader", "Remcos rat", "Xworm" ], "industries": [] }, "other": { "adversary": [ "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "CryptoGen Cyber Threat Intelligence Advisory" ], "malware_families": [ "Katz", "Caminho", "Remcos", "Caminho loader", "Xworm" ], "industries": [ "Critical infrastructure" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "68f856d14d16bb8375c07868", "name": "Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe", "description": "A new malware loader called Caminho, originating from Brazil, has been identified using steganography to hide .NET payloads in image files hosted on legitimate platforms. Active since March 2025, the campaign has evolved significantly, delivering various malware types across South America, Africa, and Eastern Europe. The multi-stage infection chain begins with phishing emails containing malicious scripts, leading to the download of steganographic images. The Caminho loader extracts and executes payloads in memory, establishing persistence through scheduled tasks. Analysis reveals consistent patterns and Portuguese language artifacts, indicating a Loader-as-a-Service model. The operation targets multiple industries opportunistically, using bulletproof hosting for command and control.", "modified": "2025-10-22T12:08:27.531000", "created": "2025-10-22T04:00:17.104000", "tags": [ "africa", "eastern europe", "steganography", "loader-as-a-service", "katz stealer", "brazil", "south america", "remcos rat", "xworm", "fileless execution", "caminho loader" ], "references": [ "https://arcticwolf.com/resources/blog/brazilian-caminho-loader-employs-lsb-steganography-to-deliver-multiple-malware-families" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "Poland", "South Africa", "Ukraine" ], "malware_families": [ { "id": "Caminho Loader", "display_name": "Caminho Loader", "target": null }, { "id": "REMCOS RAT", "display_name": "REMCOS RAT", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Katz Stealer", "display_name": "Katz Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 7, "FileHash-SHA256": 23, "domain": 2 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 377566, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675c61d2a8e4554b9985027", "name": "BLOCK_2024", "description": "", "modified": "2026-02-04T19:03:11.880000", "created": "2024-06-21T18:27:41.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e899612f5527bad9d4e5a8", "export_count": 6863628, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2306, "FileHash-MD5": 4833, "URL": 1674, "hostname": 1302, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3524, "CIDR": 19, "email": 190, "CVE": 4 }, "indicator_count": 24237, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69404b09d8296388596ecfa9", "name": "BLOCK_2025_DIC", "description": "", "modified": "2025-12-24T16:04:11.529000", "created": "2025-12-15T17:53:13.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2300, "FileHash-MD5": 4833, "URL": 1673, "hostname": 1297, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3235, "CIDR": 19, "email": 170, "CVE": 4 }, "indicator_count": 23916, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fede8bd76810fb0f85164b", "name": "IOC - Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe", "description": "Arctic Wolf Labs has identified and analyzed a new malware loader we\u2019re calling Caminho, a Brazilian-origin Loader-as-a-Service (LaaS) operation employing Least Significant Bit (LSB) steganography to conceal .NET payloads within image files hosted on legitimate platforms.\n\nActive since at least March 2025, with a significant operational evolution in June 2025, the campaign has delivered a variety of malware and infostealers such as REMCOS RAT, XWorm and Katz Stealer to victims within multiple industries across South America, Africa, and Eastern Europe.", "modified": "2025-11-26T02:00:44.846000", "created": "2025-10-27T02:52:59.731000", "tags": [ "file name", "type sha256", "remcos rat", "ukraine sample", "stage", "hta file", "persistence", "first png", "base64", "latest png", "lost", "august", "first", "malicious" ], "references": [ "https://arcticwolf.com/resources/blog/brazilian-caminho-loader-employs-lsb-steganography-to-deliver-multiple-malware-families/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 23, "domain": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 119, "modified_text": "144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fe0b464c16859b29c5a467", "name": "Caminho Malware Conceals Payloads Within Image Files", "description": "Sophisticated malware operation has emerged from Brazil which leverages\nadvanced steganographic techniques to hide malicious payloads within seemingly\nharmless image files.", "modified": "2025-11-25T11:01:31.826000", "created": "2025-10-26T11:51:34.654000", "tags": [ "https", "hashes", "urls", "update", "siem", "iocs", "conduct", "domains" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 23, "URL": 2, "domain": 4 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 486, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f9114c86c0defd1b41335e", "name": "Brazilian Caminho Loader Employs LSB Steganography and Fileless Execution to Deliver Multiple Malware Families Across South America, Africa, and Eastern Europe.", "description": "The Caminho Loader, identified by Arctic Wolf, is a sophisticated Brazilian-origin Loader-as-a-Service operation that employs Least Significant Bit (LSB) steganography to conceal malicious .NET payloads within image files hosted on legitimate platforms. Initial infection begins with spear-phishing emails that contain archived JavaScript or VBScript files, often using business-themed social engineering tactics. When executed, these scripts retrieve an obfuscated PowerShell payload that downloads steganographic images from services like archive.org, a digital archive known for its reputation and high availability.", "modified": "2025-11-21T17:01:54.389000", "created": "2025-10-22T17:15:56.137000", "tags": [ "javascript", "caminho loader", "remcos rat", "powershell", "arctic wolf", "june", "katz stealer", "hashes", "urls", "sha256", "august", "xworm", "wolf", "loader", "ukraine", "phishing", "first", "remcos", "hunt", "path", "stealer", "virustotal", "media", "click", "error", "example", "date", "rats", "easy", "code", "persistence", "lost", "bmp", "hta", "caminho", "katz" ], "references": [ "https://arcticwolf.com/resources/blog/brazilian-caminho-loader-employs-lsb-steganography-to-deliver-multiple-malware-families/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "South Africa", "Ukraine", "Poland", "United States of America" ], "malware_families": [ { "id": "Caminho Loader", "display_name": "Caminho Loader", "target": null }, { "id": "Caminho", "display_name": "Caminho", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Katz", "display_name": "Katz", "target": null }, { "id": "REMCOS", "display_name": "REMCOS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" } ], "industries": [ "Critical Infrastructure" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 18, "FileHash-SHA1": 17, "FileHash-SHA256": 23, "domain": 5 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688983a9da4a6cfb06b7ad1a", "name": "Twitter Feed - skocherhan - 29-07-2025", "description": "", "modified": "2025-08-29T02:02:59.406000", "created": "2025-07-30T02:30:01.211000", "tags": [ "Remcos", "ransomware", "phishing" ], "references": [ "https://x.com/skocherhan/status/1950029038061273582", "https://x.com/skocherhan/status/1950031015159709902", "https://x.com/skocherhan/status/1950038093622362344", "https://x.com/skocherhan/status/1950040753847111976", "https://x.com/skocherhan/status/1950042792568238440", "https://x.com/skocherhan/status/1950046504829296829", "https://x.com/skocherhan/status/1950070017652847079", "https://x.com/skocherhan/status/1950118653162066002", "https://x.com/skocherhan/status/1950132305613209931", "https://x.com/skocherhan/status/1950254961801220235", "https://x.com/skocherhan/status/1950283621476020337", "https://x.com/skocherhan/status/1950285958257029330", "https://x.com/skocherhan/status/1950289582601490865" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "domain": 8, "URL": 17, "hostname": 4 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "serverdata-cloud.cloud", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "serverdata-cloud.cloud", "found": true, "verdict": "malicious", "url_count": 3, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://serverdata-cloud.cloud/universe-1733359315202-8750.jpg", "status": "offline", "threat": "malware_download", "date_added": "2025-08-14", "tags": [] }, { "url": "https://serverdata-cloud.cloud/output_image.bmp", "status": "offline", "threat": "malware_download", "date_added": "2025-08-08", "tags": [ "stego" ] }, { "url": "https://serverdata-cloud.cloud/arquivo_9304bf4aaa63476ca0820ddbe663b6fb.txt", "status": "offline", "threat": "malware_download", "date_added": "2025-07-29", "tags": [ "dropper", "rev-base64-loader", "reverse-base64", "ua-wget" ] } ], "error": null }, "from_cache": true, "_cached_at": 1776638307.847158 }