{ "type": "Domain", "indicator": "shadow-network.best", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/shadow-network.best", "alexa": "http://www.alexa.com/siteinfo/shadow-network.best", "indicator": "shadow-network.best", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4071568232, "indicator": "shadow-network.best", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "685db537f7a98c26737b6b3b", "name": "Iranian Educated Manticore Targets Leading Tech Academics", "description": "The Iranian threat group Educated Manticore, associated with the Islamic Revolutionary Guard Corps, has launched spear-phishing campaigns targeting Israeli journalists, cyber security experts and computer science professors. The attackers posed as fictitious assistants to technology executives or researchers, directing victims to fake Gmail login pages or Google Meet invitations. This allowed them to intercept passwords and 2FA codes, gaining unauthorized access to victims' accounts. The group used a custom phishing kit implemented as a Single Page Application built with React, supporting various Google authentication flows and enabling 2FA relay attacks. The infrastructure relied on over 130 unique domains resolving to multiple IP addresses. Despite increased exposure, Educated Manticore continues to pose a persistent threat, particularly to individuals in Israel during the Iran-Israel conflict escalation.", "modified": "2025-07-26T20:05:20.246000", "created": "2025-06-26T21:01:42.866000", "tags": [ "Educated Manticore", "Iran", "APT42", "Charming Kitten" ], "references": [ "https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/" ], "public": 1, "adversary": "Educated Manticore", "targeted_countries": [ "Iran, Islamic Republic of", "Israel" ], "malware_families": [ { "id": "CharmPower - S0674", "display_name": "CharmPower - S0674", "target": null }, { "id": "PowerLess - S1012", "display_name": "PowerLess - S1012", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1598.002", "name": "Spearphishing Attachment", "display_name": "T1598.002 - Spearphishing Attachment" } ], "industries": [ "Government", "Military", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 99, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 129 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 386711, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6891b01cd25eec492f229b98", "name": "Iranian Educated Manticore Targets Leading Tech Academics", "description": "", "modified": "2025-08-05T07:17:48.529000", "created": "2025-08-05T07:17:48.529000", "tags": [ "Educated Manticore", "Iran", "APT42", "Charming Kitten" ], "references": [ "https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/" ], "public": 1, "adversary": "Educated Manticore", "targeted_countries": [ "Iran, Islamic Republic of", "Israel" ], "malware_families": [ { "id": "CharmPower - S0674", "display_name": "CharmPower - S0674", "target": null }, { "id": "PowerLess - S1012", "display_name": "PowerLess - S1012", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1598.002", "name": "Spearphishing Attachment", "display_name": "T1598.002 - Spearphishing Attachment" } ], "industries": [ "Government", "Military", "Media" ], "TLP": "white", "cloned_from": "685db537f7a98c26737b6b3b", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 129 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "300 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650dc72066f12ec3d51939", "name": "Iranian APT Actors-Pt4", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:45:25.998000", "tags": [], "references": [ "IOCs.pdf" ], "public": 1, "adversary": "Agrius, Cuboid Sandstorm, Tortoiseshell, Gray Sandstorm, Pumpkin Sandstorm, Lemon Sandstorm, BladedF", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 92, "FileHash-SHA1": 100, "FileHash-SHA256": 124, "CVE": 13, "domain": 157, "email": 2, "hostname": 8 }, "indicator_count": 511, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68619df4f344ef828a978fd3", "name": "Threat Actor Group Employs Phishing Campaign to Harvest Credentials", "description": "A look at some of the key words and phrases used by people to describe the world of food, drink, and other food and lifestyle.. and the most popular of them are in the UK.", "modified": "2025-07-29T20:03:01.062000", "created": "2025-06-29T20:11:30.734000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 129 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "306 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6864e163219c3229e070f60f", "name": "Iranian Educated Manticore Targets Leading Tech Academics", "description": "", "modified": "2025-07-26T20:05:20.246000", "created": "2025-07-02T07:36:03.536000", "tags": [ "Educated Manticore", "Iran", "APT42", "Charming Kitten" ], "references": [ "https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/" ], "public": 1, "adversary": "Educated Manticore", "targeted_countries": [ "Iran, Islamic Republic of", "Israel" ], "malware_families": [ { "id": "CharmPower - S0674", "display_name": "CharmPower - S0674", "target": null }, { "id": "PowerLess - S1012", "display_name": "PowerLess - S1012", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1598.002", "name": "Spearphishing Attachment", "display_name": "T1598.002 - Spearphishing Attachment" } ], "industries": [ "Government", "Military", "Media" ], "TLP": "white", "cloned_from": "685db537f7a98c26737b6b3b", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 129 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685c062cd29faa2dd50f668f", "name": "Iranian Educated Manticore Targets Leading Tech Academics", "description": "The full list of names and names has been released by the International Organization for the Advancement of Knowledge (IOC) on the topic of social media and the internet.. and it is not yet known.", "modified": "2025-07-25T14:01:14.458000", "created": "2025-06-25T14:22:36.113000", "tags": [ "iocs ips" ], "references": [ "https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 129 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6837ca097511515a43765aeb", "name": "APT42 GreenCharlie CharmingKitten", "description": "", "modified": "2025-06-28T02:02:37.632000", "created": "2025-05-29T02:44:25.905000", "tags": [ "APT42" ], "references": [ "https://x.com/Cyberteam008/status/1927915406288695626", "https://pastebin.com/fQfA1PRC" ], "public": 1, "adversary": "APT42", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52, "hostname": 94 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "338 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685c5f181dbc191587434231", "name": "Iranian Educated Manticore Targets Leading Tech Academics.", "description": "Iranian threat group Educated Manticore, associated with the Islamic Revolutionary Guard Corps (IRGC), has intensified spear-phishing campaigns targeting Israeli journalists, cybersecurity experts, and academics amid heightened tensions between Iran and Israel. The group is known for its custom phishing tactics, where attackers impersonate fictitious technology executives or researchers to engage their targets via emails and WhatsApp. Victims are often directed to fake Gmail login pages or Google Meet invitations, where their credentials and two-factor authentication (2FA) codes are harvested, providing attackers with unauthorized access to sensitive accounts.", "modified": "2025-06-25T20:42:00.807000", "created": "2025-06-25T20:42:00.807000", "tags": [], "references": [], "public": 1, "adversary": "IRGC", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 53 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "340 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.pdf", "https://pastebin.com/fQfA1PRC", "https://x.com/Cyberteam008/status/1927915406288695626", "https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/" ], "related": { "alienvault": { "adversary": [ "Educated Manticore" ], "malware_families": [ "Charmpower - s0674", "Powerless - s1012" ], "industries": [ "Government", "Military", "Media" ] }, "other": { "adversary": [ "IRGC", "Agrius, Cuboid Sandstorm, Tortoiseshell, Gray Sandstorm, Pumpkin Sandstorm, Lemon Sandstorm, BladedF", "APT42", "Educated Manticore" ], "malware_families": [ "Charmpower - s0674", "Powerless - s1012" ], "industries": [ "Government", "Military", "Media" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "685db537f7a98c26737b6b3b", "name": "Iranian Educated Manticore Targets Leading Tech Academics", "description": "The Iranian threat group Educated Manticore, associated with the Islamic Revolutionary Guard Corps, has launched spear-phishing campaigns targeting Israeli journalists, cyber security experts and computer science professors. The attackers posed as fictitious assistants to technology executives or researchers, directing victims to fake Gmail login pages or Google Meet invitations. This allowed them to intercept passwords and 2FA codes, gaining unauthorized access to victims' accounts. The group used a custom phishing kit implemented as a Single Page Application built with React, supporting various Google authentication flows and enabling 2FA relay attacks. The infrastructure relied on over 130 unique domains resolving to multiple IP addresses. Despite increased exposure, Educated Manticore continues to pose a persistent threat, particularly to individuals in Israel during the Iran-Israel conflict escalation.", "modified": "2025-07-26T20:05:20.246000", "created": "2025-06-26T21:01:42.866000", "tags": [ "Educated Manticore", "Iran", "APT42", "Charming Kitten" ], "references": [ "https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/" ], "public": 1, "adversary": "Educated Manticore", "targeted_countries": [ "Iran, Islamic Republic of", "Israel" ], "malware_families": [ { "id": "CharmPower - S0674", "display_name": "CharmPower - S0674", "target": null }, { "id": "PowerLess - S1012", "display_name": "PowerLess - S1012", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1598.002", "name": "Spearphishing Attachment", "display_name": "T1598.002 - Spearphishing Attachment" } ], "industries": [ "Government", "Military", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 99, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 129 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 386711, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6891b01cd25eec492f229b98", "name": "Iranian Educated Manticore Targets Leading Tech Academics", "description": "", "modified": "2025-08-05T07:17:48.529000", "created": "2025-08-05T07:17:48.529000", "tags": [ "Educated Manticore", "Iran", "APT42", "Charming Kitten" ], "references": [ "https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/" ], "public": 1, "adversary": "Educated Manticore", "targeted_countries": [ "Iran, Islamic Republic of", "Israel" ], "malware_families": [ { "id": "CharmPower - S0674", "display_name": "CharmPower - S0674", "target": null }, { "id": "PowerLess - S1012", "display_name": "PowerLess - S1012", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1598.002", "name": "Spearphishing Attachment", "display_name": "T1598.002 - Spearphishing Attachment" } ], "industries": [ "Government", "Military", "Media" ], "TLP": "white", "cloned_from": "685db537f7a98c26737b6b3b", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 129 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "300 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650dc72066f12ec3d51939", "name": "Iranian APT Actors-Pt4", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:45:25.998000", "tags": [], "references": [ "IOCs.pdf" ], "public": 1, "adversary": "Agrius, Cuboid Sandstorm, Tortoiseshell, Gray Sandstorm, Pumpkin Sandstorm, Lemon Sandstorm, BladedF", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 92, "FileHash-SHA1": 100, "FileHash-SHA256": 124, "CVE": 13, "domain": 157, "email": 2, "hostname": 8 }, "indicator_count": 511, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68619df4f344ef828a978fd3", "name": "Threat Actor Group Employs Phishing Campaign to Harvest Credentials", "description": "A look at some of the key words and phrases used by people to describe the world of food, drink, and other food and lifestyle.. and the most popular of them are in the UK.", "modified": "2025-07-29T20:03:01.062000", "created": "2025-06-29T20:11:30.734000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 129 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "306 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6864e163219c3229e070f60f", "name": "Iranian Educated Manticore Targets Leading Tech Academics", "description": "", "modified": "2025-07-26T20:05:20.246000", "created": "2025-07-02T07:36:03.536000", "tags": [ "Educated Manticore", "Iran", "APT42", "Charming Kitten" ], "references": [ "https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/" ], "public": 1, "adversary": "Educated Manticore", "targeted_countries": [ "Iran, Islamic Republic of", "Israel" ], "malware_families": [ { "id": "CharmPower - S0674", "display_name": "CharmPower - S0674", "target": null }, { "id": "PowerLess - S1012", "display_name": "PowerLess - S1012", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1598.002", "name": "Spearphishing Attachment", "display_name": "T1598.002 - Spearphishing Attachment" } ], "industries": [ "Government", "Military", "Media" ], "TLP": "white", "cloned_from": "685db537f7a98c26737b6b3b", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 129 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685c062cd29faa2dd50f668f", "name": "Iranian Educated Manticore Targets Leading Tech Academics", "description": "The full list of names and names has been released by the International Organization for the Advancement of Knowledge (IOC) on the topic of social media and the internet.. and it is not yet known.", "modified": "2025-07-25T14:01:14.458000", "created": "2025-06-25T14:22:36.113000", "tags": [ "iocs ips" ], "references": [ "https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 129 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6837ca097511515a43765aeb", "name": "APT42 GreenCharlie CharmingKitten", "description": "", "modified": "2025-06-28T02:02:37.632000", "created": "2025-05-29T02:44:25.905000", "tags": [ "APT42" ], "references": [ "https://x.com/Cyberteam008/status/1927915406288695626", "https://pastebin.com/fQfA1PRC" ], "public": 1, "adversary": "APT42", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52, "hostname": 94 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "338 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685c5f181dbc191587434231", "name": "Iranian Educated Manticore Targets Leading Tech Academics.", "description": "Iranian threat group Educated Manticore, associated with the Islamic Revolutionary Guard Corps (IRGC), has intensified spear-phishing campaigns targeting Israeli journalists, cybersecurity experts, and academics amid heightened tensions between Iran and Israel. The group is known for its custom phishing tactics, where attackers impersonate fictitious technology executives or researchers to engage their targets via emails and WhatsApp. Victims are often directed to fake Gmail login pages or Google Meet invitations, where their credentials and two-factor authentication (2FA) codes are harvested, providing attackers with unauthorized access to sensitive accounts.", "modified": "2025-06-25T20:42:00.807000", "created": "2025-06-25T20:42:00.807000", "tags": [], "references": [], "public": 1, "adversary": "IRGC", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 53 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "340 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "shadow-network.best", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "shadow-network.best", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780333095.885517 }