{ "type": "Domain", "indicator": "serviceverifcaptcho.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/serviceverifcaptcho.com", "alexa": "http://www.alexa.com/siteinfo/serviceverifcaptcho.com", "indicator": "serviceverifcaptcho.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4049325392, "indicator": "serviceverifcaptcho.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "697c69b9af67a1f288275176", "name": "Meet IClickFix: a widespread framework using the ClickFix tactic", "description": "IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.", "modified": "2026-03-01T08:03:12.270000", "created": "2026-01-30T08:20:09.209000", "tags": [ "emmenhtal loader", "netsupport rat", "watering hole", "xfiles stealer", "social engineering", "clickfix", "wordpress", "javascript", "captcha" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ghana" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Emmenhtal Loader", "display_name": "Emmenhtal Loader", "target": null }, { "id": "XFiles Stealer", "display_name": "XFiles Stealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 74, "FileHash-MD5": 10, "FileHash-SHA1": 16, "FileHash-SHA256": 14, "URL": 13, "hostname": 4 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 386486, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996eec8a83ff76c8fe7dc9e", "name": "ThreatFix_domain_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:06:48.676000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 3, "domain": 2634, "hostname": 1822 }, "indicator_count": 4471, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d43b0131fe8eb6ef03207", "name": "OSINT Volley 2026-01-30 - Unknown malware/Unknown Stealer/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(60), Unknown Stealer(59), IClickFix(46), AsyncRAT(23), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 33 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T23:04:07.260000", "created": "2026-01-30T23:50:08.881000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "unknown-stealer", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 44, "URL": 15, "domain": 59 }, "indicator_count": 118, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d2e9743cf30ad53c07b69", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(59), Unknown malware(56), IClickFix(46), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T22:03:53.954000", "created": "2026-01-30T22:20:07.047000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "hostname": 43, "domain": 75 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d359c7845fe05aa73f2f4", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(59), Unknown malware(56), IClickFix(46), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T22:03:53.954000", "created": "2026-01-30T22:50:04.280000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 44, "URL": 15, "domain": 73 }, "indicator_count": 132, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d208711b1e2500de1a5bd", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(59), Unknown malware(56), IClickFix(46), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T21:00:31.076000", "created": "2026-01-30T21:20:07.476000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "hostname": 42, "domain": 78 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d12735cfaa2eb8fce9fb2", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(60), Unknown malware(56), IClickFix(46), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T20:00:10.873000", "created": "2026-01-30T20:20:03.839000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "domain": 79, "URL": 13 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d197c2966ed330c7f0601", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(59), Unknown malware(56), IClickFix(46), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T20:00:10.873000", "created": "2026-01-30T20:50:04.425000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "hostname": 42, "domain": 78 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d04658be618d21e9fcec9", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(66), Unknown malware(55), IClickFix(46), Cobalt Strike(17), ClearFake(16). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T19:03:56.420000", "created": "2026-01-30T19:20:05.548000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "domain": 87, "URL": 13 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d0b6cf4bc347d68fefc49", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(62), Unknown malware(55), IClickFix(46), Cobalt Strike(17), ClearFake(16). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T19:03:56.420000", "created": "2026-01-30T19:50:04.182000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "domain": 87, "URL": 13 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cf303481f8bdbab9072ed", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(68), Unknown malware(55), IClickFix(46), Cobalt Strike(17), AsyncRAT(16). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T18:00:46.183000", "created": "2026-01-30T18:05:52.630000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93, "hostname": 29, "URL": 13 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cf6519d13b4281992268a", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(66), Unknown malware(55), IClickFix(46), Cobalt Strike(17), ClearFake(16). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T18:00:46.183000", "created": "2026-01-30T18:20:01.839000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "domain": 88, "URL": 13 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cfd5afeca46d933b6efd0", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(66), Unknown malware(55), IClickFix(46), Cobalt Strike(17), ClearFake(16). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T18:00:46.183000", "created": "2026-01-30T18:50:02.141000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "domain": 88, "URL": 13 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697ce8471720e4a681a21b5f", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(71), Unknown malware(55), IClickFix(46), ClearFake(18), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T17:03:12.719000", "created": "2026-01-30T17:20:07.629000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 107, "URL": 13, "hostname": 16 }, "indicator_count": 136, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cec7dfab73483a3b7e26c", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(69), Unknown malware(55), IClickFix(46), Cobalt Strike(17), ClearFake(14). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T17:03:12.719000", "created": "2026-01-30T17:38:05.199000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 22, "domain": 101, "URL": 13 }, "indicator_count": 136, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cef490b92b95f9b99e67d", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(68), Unknown malware(55), IClickFix(46), Cobalt Strike(17), ClearFake(14). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T17:03:12.719000", "created": "2026-01-30T17:50:01.473000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 22, "domain": 101, "URL": 13 }, "indicator_count": 136, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cda34696e0c56caca41dd", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(71), Unknown malware(55), IClickFix(46), ClearFake(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:20:04.074000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "domain": 109, "hostname": 16 }, "indicator_count": 137, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697ce13a59c3614b2f52cb32", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(71), Unknown malware(55), IClickFix(46), ClearFake(18), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:50:02.769000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 109, "URL": 12, "hostname": 16 }, "indicator_count": 137, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697ccc27fe00a161cf06f652", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(69), Unknown malware(53), IClickFix(46), Lumma Stealer(28), ClearFake(19). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T15:00:32.818000", "created": "2026-01-30T15:20:07.199000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132, "URL": 10, "hostname": 15 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cd1bb637a54fe7fd32425", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(69), Unknown malware(53), IClickFix(46), Lumma Stealer(25), ClearFake(19). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T15:00:32.818000", "created": "2026-01-30T15:43:55.672000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 15, "URL": 10, "domain": 132 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cd32999b18eddf42f4367", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(69), Unknown malware(53), IClickFix(46), ClearFake(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T15:00:32.818000", "created": "2026-01-30T15:50:01.789000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 15, "URL": 10, "domain": 132 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cd3ff11d233f7729bba72", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(69), Unknown malware(53), IClickFix(46), ClearFake(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T15:00:32.818000", "created": "2026-01-30T15:53:35.182000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 15, "URL": 10, "domain": 132 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cbe17a7b72d1900f7b75b", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(69), Unknown malware(50), IClickFix(46), Lumma Stealer(28), ClearFake(19). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T14:01:16.301000", "created": "2026-01-30T14:20:07.282000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "domain": 131, "URL": 8 }, "indicator_count": 155, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cc5206a34c0bd9bb736c0", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(69), Unknown malware(53), IClickFix(46), Lumma Stealer(28), ClearFake(19). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T14:01:16.301000", "created": "2026-01-30T14:50:08.765000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132, "URL": 10, "hostname": 15 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cb00355adf34784a88bc4", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(69), Unknown malware(50), IClickFix(46), Lumma Stealer(28), ClearFake(17). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T13:05:58.137000", "created": "2026-01-30T13:20:03.272000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8, "domain": 129, "hostname": 9 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cb70f1b0aa252213f2750", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(69), Unknown malware(50), IClickFix(46), Lumma Stealer(28), ClearFake(18). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T13:05:58.137000", "created": "2026-01-30T13:50:07.063000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 13, "domain": 130, "URL": 8 }, "indicator_count": 151, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697ca1f5bd569c45e2c857fa", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(67), Unknown malware(50), IClickFix(46), Lumma Stealer(28), ClearFake(17). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T12:00:42.129000", "created": "2026-01-30T12:20:05.101000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 9, "URL": 6, "domain": 127 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697ca8ff448379057df1754a", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(69), Unknown malware(50), IClickFix(46), Lumma Stealer(28), ClearFake(17). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T12:00:42.129000", "created": "2026-01-30T12:50:07.673000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 128, "URL": 6, "hostname": 9 }, "indicator_count": 143, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c93e550ca420ca08deaf5", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(67), Unknown malware(50), IClickFix(46), Lumma Stealer(28), Cobalt Strike(18). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T11:01:20.435000", "created": "2026-01-30T11:20:05.854000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 129, "URL": 13, "hostname": 5 }, "indicator_count": 147, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c9aea39716f4e8d8a0870", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(67), Unknown malware(50), IClickFix(46), Lumma Stealer(28), Cobalt Strike(18). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T11:01:20.435000", "created": "2026-01-30T11:50:02.850000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 129, "URL": 13, "hostname": 5 }, "indicator_count": 147, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c8b16efd685771b3a8c52", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(65), Unknown malware(46), IClickFix(46), Lumma Stealer(28), Cobalt Strike(18). Source: abuse.ch ThreatFox API. SSL enriched: 24 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T10:03:02.491000", "created": "2026-01-30T10:42:30.800000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 128, "hostname": 7, "URL": 17 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c8cdad0914ababa820da4", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(65), Unknown malware(46), IClickFix(46), Lumma Stealer(28), Cobalt Strike(18). Source: abuse.ch ThreatFox API. SSL enriched: 23 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T10:03:02.491000", "created": "2026-01-30T10:50:02.921000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "domain": 128, "hostname": 7 }, "indicator_count": 155, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c7ecb8e8533e661a81b42", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(61), Unknown malware(46), IClickFix(46), Cobalt Strike(18), ClearFake(16). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T09:04:34.561000", "created": "2026-01-30T09:50:03.381000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5, "domain": 111, "URL": 18 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69819eab7b692a1e4028d659", "name": "Meet IClickFix: a widespread framework using the ClickFix tactic", "description": "", "modified": "2026-03-01T08:03:12.270000", "created": "2026-02-03T07:07:23.413000", "tags": [ "emmenhtal loader", "netsupport rat", "watering hole", "xfiles stealer", "social engineering", "clickfix", "wordpress", "javascript", "captcha" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ghana" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Emmenhtal Loader", "display_name": "Emmenhtal Loader", "target": null }, { "id": "XFiles Stealer", "display_name": "XFiles Stealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "697c69b9af67a1f288275176", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 74, "FileHash-MD5": 10, "FileHash-SHA1": 16, "FileHash-SHA256": 14, "URL": 13, "hostname": 4 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c60b0bb54100596b6a5d7", "name": "Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic", "description": "In November 2025, threat analysts from Sekoia TDR discovered a malware distribution campaign targeting WordPress websites using a social engineering tactic known as ClickFix, facilitated through a Traffic Distribution System (TDS). This campaign primarily employed watering hole attacks, wherein legitimate websites are compromised to lure victims into executing malicious commands.\n\nSekoia TDR implemented an advanced detection capability to identify these watering hole attacks, utilizing generic YARA rules to scan for compromised web pages featuring the ClickFix tactic. These rules are based on specific keywords, resource patterns, and JavaScript functions associated with the tactic's implementation.", "modified": "2026-03-01T07:06:08.143000", "created": "2026-01-30T07:41:36.705000", "tags": [ "wordpress", "iclickfix", "clickfix", "javascript", "netsupport rat", "clickfix lure", "february", "december", "november", "clearfake", "loader", "code", "advent", "elementor", "xfiles", "netsupport" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ghana", "United States of America" ], "malware_families": [ { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Government", "Defense", "Energy", "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 80, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 15, "URL": 13, "YARA": 6, "hostname": 4 }, "indicator_count": 140, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6981b2a52bc2da0fa5f88c9f", "name": "Botnet_Cc | 2026-01-31", "description": "Botnet_Cc indicators. Date: 2026-01-31. Total: 2061 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-02-03T08:32:37.880000", "created": "2026-02-03T08:32:37.880000", "tags": [ "botnet_cc", "threatfox" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 284, "URL": 171, "domain": 190 }, "indicator_count": 645, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "116 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697dcba6577d7fdbbe0f48c4", "name": "PreCog Sweep - 2026-01-31 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T09:30:14.115000", "created": "2026-01-31T09:30:14.115000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "domain": 173, "hostname": 171 }, "indicator_count": 379, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697dc94ebf52f92934fda582", "name": "PreCog Sweep - 2026-01-31 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T09:20:14.248000", "created": "2026-01-31T09:20:14.248000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "domain": 174, "hostname": 170 }, "indicator_count": 379, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697dc6f7aeb34f4488113e74", "name": "PreCog Sweep - 2026-01-31 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T09:10:15.491000", "created": "2026-01-31T09:10:15.491000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 34, "domain": 174, "hostname": 172 }, "indicator_count": 380, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697dc49f57cbba58feee8e68", "name": "PreCog Sweep - 2026-01-31 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T09:00:15.011000", "created": "2026-01-31T09:00:15.011000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 174, "domain": 176, "URL": 30 }, "indicator_count": 380, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697dc2471bdb053a39f70ca3", "name": "PreCog Sweep - 2026-01-31 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T08:50:15.340000", "created": "2026-01-31T08:50:15.340000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 174, "domain": 173, "URL": 30 }, "indicator_count": 377, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697dbfed44a668a6428c44a4", "name": "PreCog Sweep - 2026-01-31 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T08:40:13.635000", "created": "2026-01-31T08:40:13.635000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 176, "URL": 30, "domain": 175 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697dbd96283d2bd73560639a", "name": "PreCog Sweep - 2026-01-31 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T08:30:14.576000", "created": "2026-01-31T08:30:14.576000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23, "hostname": 181, "domain": 179 }, "indicator_count": 383, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697dbb3d5628498360cef6a3", "name": "PreCog Sweep - 2026-01-31 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T08:20:13.894000", "created": "2026-01-31T08:20:13.894000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23, "hostname": 181, "domain": 179 }, "indicator_count": 383, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697db8e67a5078976914d1bc", "name": "PreCog Sweep - 2026-01-31 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T08:10:14.357000", "created": "2026-01-31T08:10:14.357000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23, "hostname": 181, "domain": 179 }, "indicator_count": 383, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697db68e57e77054479d8149", "name": "PreCog Sweep - 2026-01-31 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T08:00:14.361000", "created": "2026-01-31T08:00:14.361000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23, "hostname": 178, "domain": 177 }, "indicator_count": 378, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697db436714742edc9e9ff92", "name": "PreCog Sweep - 2026-01-31 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T07:50:14.257000", "created": "2026-01-31T07:50:14.257000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23, "hostname": 152, "domain": 203 }, "indicator_count": 378, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697db1dd295e01031cfde4ea", "name": "PreCog Sweep - 2026-01-31 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T07:40:13.472000", "created": "2026-01-31T07:40:13.472000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23, "hostname": 152, "domain": 203 }, "indicator_count": 378, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697daf86a9b45e4dca2bb309", "name": "PreCog Sweep - 2026-01-31 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T07:30:14.869000", "created": "2026-01-31T07:30:14.869000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "hostname": 127, "domain": 185 }, "indicator_count": 351, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697dad2d0013462bcb0805cb", "name": "PreCog Sweep - 2026-01-31 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-31T07:20:13.553000", "created": "2026-01-31T07:20:13.553000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "hostname": 127, "domain": 185 }, "indicator_count": 351, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/pduggusa/dugganusa-research", "https://ltna.com.au/cyber", "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/", "https://analytics.dugganusa.com/api/v1/stix/master", "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Emmenhtal loader", "Xfiles stealer", "Netsupport rat" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Asyncrat", "Unknown stealer", "Cobalt strike", "Netsupport rat", "Clickfix", "Clearfake", "Unknown malware", "Qilin", "Lumma stealer", "Ransomhub", "Emmenhtal loader", "Xfiles stealer", "Iclickfix" ], "industries": [ "Energy", "Government", "Telecom", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "697c69b9af67a1f288275176", "name": "Meet IClickFix: a widespread framework using the ClickFix tactic", "description": "IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.", "modified": "2026-03-01T08:03:12.270000", "created": "2026-01-30T08:20:09.209000", "tags": [ "emmenhtal loader", "netsupport rat", "watering hole", "xfiles stealer", "social engineering", "clickfix", "wordpress", "javascript", "captcha" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ghana" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Emmenhtal Loader", "display_name": "Emmenhtal Loader", "target": null }, { "id": "XFiles Stealer", "display_name": "XFiles Stealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 74, "FileHash-MD5": 10, "FileHash-SHA1": 16, "FileHash-SHA256": 14, "URL": 13, "hostname": 4 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 386486, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996eec8a83ff76c8fe7dc9e", "name": "ThreatFix_domain_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:06:48.676000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 3, "domain": 2634, "hostname": 1822 }, "indicator_count": 4471, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d43b0131fe8eb6ef03207", "name": "OSINT Volley 2026-01-30 - Unknown malware/Unknown Stealer/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(60), Unknown Stealer(59), IClickFix(46), AsyncRAT(23), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 33 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T23:04:07.260000", "created": "2026-01-30T23:50:08.881000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "unknown-stealer", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 44, "URL": 15, "domain": 59 }, "indicator_count": 118, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d2e9743cf30ad53c07b69", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(59), Unknown malware(56), IClickFix(46), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T22:03:53.954000", "created": "2026-01-30T22:20:07.047000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "hostname": 43, "domain": 75 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d359c7845fe05aa73f2f4", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(59), Unknown malware(56), IClickFix(46), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T22:03:53.954000", "created": "2026-01-30T22:50:04.280000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 44, "URL": 15, "domain": 73 }, "indicator_count": 132, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d208711b1e2500de1a5bd", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(59), Unknown malware(56), IClickFix(46), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T21:00:31.076000", "created": "2026-01-30T21:20:07.476000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "hostname": 42, "domain": 78 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d12735cfaa2eb8fce9fb2", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(60), Unknown malware(56), IClickFix(46), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T20:00:10.873000", "created": "2026-01-30T20:20:03.839000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "domain": 79, "URL": 13 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d197c2966ed330c7f0601", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(59), Unknown malware(56), IClickFix(46), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T20:00:10.873000", "created": "2026-01-30T20:50:04.425000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "hostname": 42, "domain": 78 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d04658be618d21e9fcec9", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(66), Unknown malware(55), IClickFix(46), Cobalt Strike(17), ClearFake(16). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T19:03:56.420000", "created": "2026-01-30T19:20:05.548000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "domain": 87, "URL": 13 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697d0b6cf4bc347d68fefc49", "name": "OSINT Volley 2026-01-30 - Unknown Stealer/Unknown malware/IClickFix", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(62), Unknown malware(55), IClickFix(46), Cobalt Strike(17), ClearFake(16). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-01T19:03:56.420000", "created": "2026-01-30T19:50:04.182000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "iclickfix", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "IClickFix", "display_name": "IClickFix", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "domain": 87, "URL": 13 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "serviceverifcaptcho.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "serviceverifcaptcho.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780205496.3220367 }