{ "type": "Domain", "indicator": "shavezy.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/shavezy.com", "alexa": "http://www.alexa.com/siteinfo/shavezy.com", "indicator": "shavezy.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4329247913, "indicator": "shavezy.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ee2e6c753c8cc7142d4d77", "name": "Ransomware attack on a small company via a large contractor", "description": "A recent ransomware attack compromised the entire infrastructure of a small sports organization, exploiting vulnerabilities in a major software integrator contractor's systems. The attackers utilized a leaked exploit connected to the .NET Framework, which masqueraded as legitimate software installed on 1C systems. Notably, twelve hours before the ransomware encryption occurred, there were unauthorized login attempts from an atypical address by a service account with domain privileges, likely facilitated by a weak password. Following this infiltration, attackers leveraged Remote Desktop Protocol (RDP) to gain access to the systems, disabled antivirus tools, and executed the malicious payload known as Hardbit v4.2, which is categorized as Backdoor malware.", "modified": "2026-05-26T15:00:59.832000", "created": "2026-04-26T15:25:32.428000", "tags": [ "solar", "entrypoint", "zmiy", "email", "erudite mogwai", "ddos", "ransomware", "license service", "shedding zmiy", "backdoor", "rust", "glupteba", "radar", "telegram", "main", "mind", "cloud", "atlas", "gorilla", "puma", "darkwatchman", "stowaway", "dameware", "evil", "snakekeylogger", "steam", "dead", "king", "cobalt", "plugx", "mogwai" ], "references": [ "https://rt-solar.ru/solar-4rays/blog/6557/" ], "public": 1, "adversary": "Ngc8211", "targeted_countries": [], "malware_families": [ { "id": "Mogwai", "display_name": "Mogwai", "target": null } ], "attack_ids": [ { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://rt-solar.ru/solar-4rays/blog/6557/", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "Ngc8211" ], "malware_families": [ "Mogwai" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ee2e6c753c8cc7142d4d77", "name": "Ransomware attack on a small company via a large contractor", "description": "A recent ransomware attack compromised the entire infrastructure of a small sports organization, exploiting vulnerabilities in a major software integrator contractor's systems. The attackers utilized a leaked exploit connected to the .NET Framework, which masqueraded as legitimate software installed on 1C systems. Notably, twelve hours before the ransomware encryption occurred, there were unauthorized login attempts from an atypical address by a service account with domain privileges, likely facilitated by a weak password. Following this infiltration, attackers leveraged Remote Desktop Protocol (RDP) to gain access to the systems, disabled antivirus tools, and executed the malicious payload known as Hardbit v4.2, which is categorized as Backdoor malware.", "modified": "2026-05-26T15:00:59.832000", "created": "2026-04-26T15:25:32.428000", "tags": [ "solar", "entrypoint", "zmiy", "email", "erudite mogwai", "ddos", "ransomware", "license service", "shedding zmiy", "backdoor", "rust", "glupteba", "radar", "telegram", "main", "mind", "cloud", "atlas", "gorilla", "puma", "darkwatchman", "stowaway", "dameware", "evil", "snakekeylogger", "steam", "dead", "king", "cobalt", "plugx", "mogwai" ], "references": [ "https://rt-solar.ru/solar-4rays/blog/6557/" ], "public": 1, "adversary": "Ngc8211", "targeted_countries": [], "malware_families": [ { "id": "Mogwai", "display_name": "Mogwai", "target": null } ], "attack_ids": [ { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "shavezy.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "shavezy.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180687.7657568 }