{ "type": "Domain", "indicator": "shell.run", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/shell.run", "alexa": "http://www.alexa.com/siteinfo/shell.run", "indicator": "shell.run", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 457527553, "indicator": "shell.run", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 38, "pulses": [ { "id": "699316a97372a95704b5c326", "name": "Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure", "description": "A summary of the findings from LAB52, the Spanish government\u2019s intelligence unit, which has been monitoring a spear-phishing campaign carried out by the hacker group APT28.", "modified": "2026-02-16T13:07:53.173000", "created": "2026-02-16T13:07:53.173000", "tags": [ "vbscript", "september", "sendkeys", "edge", "microsoft word", "html", "microsoft edge", "html file", "apt28", "january", "headless", "ukraine", "base64", "windowtitle", "cmd" ], "references": [ "https://lab52.io/blog/operation-macromaze-new-apt28-campaign-using-basic-tooling-and-legit-infrastructure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HTML", "display_name": "HTML", "target": null }, { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "WindowTitle", "display_name": "WindowTitle", "target": null }, { "id": "CMD", "display_name": "CMD", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 26, "hostname": 9, "URL": 44, "domain": 3 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "62 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68224616ff63e7e33a1e4fd4", "name": "LummaStealer Variant Delivered via Obfuscated VBScript Loader", "description": "This analysis examines a LummaStealer variant distributed through a heavily obfuscated VBScript loader. The loader employs multiple evasion techniques, including:\nBase64 encoding\nString splitting and concatenation\nString reversal\nEmbedding strings within arrays\nThese methods aim to hinder static analysis and detection.\nUpon execution, the VBScript constructs URLs\u2014some hardcoded IP addresses, others domain names\u2014to connect to command-and-control (C2) servers. It utilizes System.Net.WebClient or Microsoft.XMLHTTP in PowerShell to download additional scripts or executable payloads.\n\nThe downloaded payloads are executed in-memory using Invoke-Expression or Start-Process. In some instances, the payload is written to disk (e.g., %TEMP%) before execution.\nThe malware communicates with multiple domains/IPs for redundancy, potentially performing callbacks for updates or secondary payloads.\nAnti-analysis measures include avoiding clear text commands and hiding indicators and execution paths through encoding.", "modified": "2025-06-11T19:00:21.447000", "created": "2025-05-12T19:03:50.750000", "tags": [ "powershell", "temp", "urls", "startup folder", "exception", "token", "ascii", "base64", "vba script", "vbscript loader", "hosts", "persistence", "config", "loader", "date", "lummastealer" ], "references": [ "https://medium.com/@shubhandrew/analysis-of-a-lummastealer-variant-vbscript-loader-b4f6ce4256c1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lummastealer", "display_name": "Lummastealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "URL": 31, "domain": 7, "hostname": 5 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 173, "modified_text": "312 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6746eae02e409b017dfc3446", "name": "test", "description": "", "modified": "2024-11-27T09:49:56.893000", "created": "2024-11-27T09:48:16.350000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e72e166ce385bcf6a190", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7079 }, "indicator_count": 12733, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746eada877212ce963923c4", "name": "test", "description": "", "modified": "2024-11-27T09:48:10.379000", "created": "2024-11-27T09:48:10.379000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e72e166ce385bcf6a190", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e72e166ce385bcf6a190", "name": "test", "description": "", "modified": "2024-11-27T09:32:30.359000", "created": "2024-11-27T09:32:30.359000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e72528402d5f2b560f94", "name": "test", "description": "", "modified": "2024-11-27T09:32:21.842000", "created": "2024-11-27T09:32:21.842000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f7e75b22b226428b54", "name": "test", "description": "", "modified": "2024-11-27T09:31:35.510000", "created": "2024-11-27T09:31:35.510000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f777858514fd47721b", "name": "test", "description": "", "modified": "2024-11-27T09:31:35.336000", "created": "2024-11-27T09:31:35.336000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f6008916b47ddecc1b", "name": "test", "description": "", "modified": "2024-11-27T09:31:34.682000", "created": "2024-11-27T09:31:34.682000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f69c42d60283e9aa0f", "name": "test", "description": "", "modified": "2024-11-27T09:31:34.344000", "created": "2024-11-27T09:31:34.344000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f4be000f79eef564e0", "name": "test", "description": "", "modified": "2024-11-27T09:31:32.861000", "created": "2024-11-27T09:31:32.861000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f4e35efa94cb40610d", "name": "test", "description": "", "modified": "2024-11-27T09:31:32.732000", "created": "2024-11-27T09:31:32.732000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f4050558d7149be4f8", "name": "test", "description": "", "modified": "2024-11-27T09:31:32.526000", "created": "2024-11-27T09:31:32.526000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f4dfcc3c6e3abf71e3", "name": "test", "description": "", "modified": "2024-11-27T09:31:32.026000", "created": "2024-11-27T09:31:32.026000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f1b272922f8975813f", "name": "test", "description": "", "modified": "2024-11-27T09:31:29.591000", "created": "2024-11-27T09:31:29.591000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6e2bc0c6a3bca869f4e", "name": "test", "description": "", "modified": "2024-11-27T09:31:14.131000", "created": "2024-11-27T09:31:14.131000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d7cdf7772c62155cc7", "name": "test", "description": "", "modified": "2024-11-27T09:31:03.357000", "created": "2024-11-27T09:31:03.357000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d634e8a45dcfcc52a1", "name": "test", "description": "", "modified": "2024-11-27T09:31:02.497000", "created": "2024-11-27T09:31:02.497000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d5d0add372df82b9ce", "name": "test", "description": "", "modified": "2024-11-27T09:31:01.001000", "created": "2024-11-27T09:31:01.001000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d4b38ef8a4f5dbd3fb", "name": "test", "description": "", "modified": "2024-11-27T09:31:00.510000", "created": "2024-11-27T09:31:00.510000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d311db88d04259103f", "name": "test", "description": "", "modified": "2024-11-27T09:30:59.961000", "created": "2024-11-27T09:30:59.961000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d386c7f4be942bd878", "name": "test", "description": "", "modified": "2024-11-27T09:30:59.831000", "created": "2024-11-27T09:30:59.831000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d16bc55ef32a6d3ad1", "name": "test", "description": "", "modified": "2024-11-27T09:30:57.742000", "created": "2024-11-27T09:30:57.742000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6cffe9312f50b94ab69", "name": "test", "description": "", "modified": "2024-11-27T09:30:55.961000", "created": "2024-11-27T09:30:55.961000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "666ac558d08da6cfb3ba135b", "name": "Thor Lite Scanner - Cigabuntu (Parrot Version) vs. The Book of Shadows", "description": "A little unclear on 'just exactly what all of this is' - Other than Huntress Catching things and Thor & Bitdefender Gravutyzone ****ing the bed\n\nScan ID: S-6vsmMgE47Gk\nScan Id: S-H9GdDtmU2vU\n\n06.13.24: https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "modified": "2024-07-13T09:05:44.647000", "created": "2024-06-13T10:09:28.617000", "tags": [ "entity", "please", "javascript", "valhalla", "php", "filename ioc", "mon jun", "module", "sigtype1", "reasonscount", "tue jun", "exploit code", "file names", "matched1", "score", "shellcode", "form", "mimikatz", "powershell", "cobaltstrike", "null", "trace", "shell", "import", "empire", "hermanos", "cobalt strike", "void", "body", "exploit", "webshell", "antak", "anomaly", "error", "generic", "target", "obfus", "skeletonkey", "virustotal", "dllimport", "false", "flash", "info", "click", "macos", "test", "powersploit", "powercat", "tools", "metasploit", "twitter", "open", "path", "xploit" ], "references": [ "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VALHALLA", "display_name": "VALHALLA", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "CVE": 156, "FileHash-MD5": 828, "FileHash-SHA1": 1126, "FileHash-SHA256": 746, "domain": 130, "email": 4, "hostname": 21 }, "indicator_count": 3085, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6503e2757924cd9f6f7a9611", "name": "Network IOCs (Pulse Created by cnoscsoc@att.com)", "description": "", "modified": "2023-09-15T04:49:57.815000", "created": "2023-09-15T04:49:57.815000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "614e0dc583aa90bf2dd4ec91", "export_count": 7213, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "947 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6503e275ad0281f4ff3b1ebc", "name": "Network IOCs (Pulse Created by cnoscsoc@att.com)", "description": "", "modified": "2023-09-15T04:49:57.375000", "created": "2023-09-15T04:49:57.375000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "614e0dc583aa90bf2dd4ec91", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "947 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6503e27105d6c04fb6cc9004", "name": "Network IOCs (Pulse Created by cnoscsoc@att.com)", "description": "", "modified": "2023-09-15T04:49:53.888000", "created": "2023-09-15T04:49:53.888000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "614e0dc583aa90bf2dd4ec91", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "947 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6503e2566de3b106d6888d77", "name": "Network IOCs (Pulse Created by cnoscsoc@att.com)", "description": "", "modified": "2023-09-15T04:49:26.231000", "created": "2023-09-15T04:49:26.231000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "614e0dc583aa90bf2dd4ec91", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "947 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "614e0dc583aa90bf2dd4ec91", "name": "Network IOCs", "description": "Network-based IOCs", "modified": "2023-05-11T00:01:00.294000", "created": "2021-09-24T17:41:25.461000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2663, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cnoscsoc@att.com", "id": "81627", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 371, "modified_text": "1074 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63ac06955426803120d07156", "name": "New STEPPY#KAVACH Attack Campaign Likely Targeting Indian Government: Technical Insights and Detection Using Securonix - Securonix", "description": "Securonix is a leading provider of cloud security solutions for the healthcare and manufacturing industry.. a\u00a31.5m ($2.4m) in sales, sales and research.", "modified": "2023-02-06T08:35:29.341000", "created": "2022-12-28T09:04:21.720000", "tags": [ "or deviceaction", "with", "kavach", "jscript file", "activexobject", "ip address", "c2 server", "india", "command", "steppy", "next", "rats", "powershell", "main", "class", "execution" ], "references": [ "https://www.securonix.com/blog/new-steppykavach-attack-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "India" ], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 16, "domain": 4, "hostname": 3 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "1168 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63aba0132b5b8ca1cd9fb8c1", "name": "New STEPPY#KAVACH Attack Campaign Likely Targeting Indian Government: Technical Insights and Detection Using Securonix - Securonix", "description": "Securonix is a leading provider of cloud security solutions for the healthcare and manufacturing industry.. \u00c2\u00a31.5m ($2.4m) in sales, sales and research.", "modified": "2023-01-27T01:05:45.404000", "created": "2022-12-28T01:46:59.002000", "tags": [ "or deviceaction", "kavach", "jscript file", "activexobject", "ip address", "c2 server", "india", "steppy", "rats", "powershell", "main", "class", "execution", "forticare_tkt" ], "references": [ "https://www.securonix.com/blog/new-steppykavach-attack-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "India" ], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fontwang1234", "id": "196068", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "CIDR": 2, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 16, "domain": 4, "hostname": 3 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "1178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ebecde8750a95cb9d43a8f", "name": "Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities | Mandiant", "description": "Find out more about Mandiant, the world's leading cyber security company, at the same time as the US government announces it will launch a major cyber-attack against a range of targets, including Russia.", "modified": "2022-09-03T00:03:41.487000", "created": "2022-08-04T15:59:26.472000", "tags": [ "please", "grimplant", "graphsteel", "beacon", "microbackdoor", "cobalt strike", "unc2589", "unc1151", "ukraine", "sfx rar", "ua cert", "intelligence", "downloader", "belarus", "whispergate", "discord", "february", "themida", "bitcoin", "powershell", "persistence", "dropper", "blackenergy", "confuser" ], "references": [ "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", "https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fraw.githubusercontent.com%2FCYBERCOM-Malware-Alert%2FIOCs%2Fmain%2FUkraine%2520Network%2520IOCs%2520July%252020%25202022.xlsx&wdOrigin=BROWSELINK" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Latvia", "Lithuania", "Belarus", "Poland", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Media", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 17, "FileHash-SHA256": 17, "URL": 16, "YARA": 2, "domain": 4 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 166, "modified_text": "1324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62d94902309f22efef08eca5", "name": "Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities | Mandiant", "description": "Find out more about Mandiant, the world's leading cyber security company, which provides insights into cyber threats from the frontlines and in the dark web, at the time of the Ukraine crisis.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-21T12:39:30.701000", "tags": [ "grimplant", "graphsteel", "beacon", "microbackdoor", "cobalt strike", "unc2589", "unc1151", "ukraine", "sfx rar", "ua cert", "intelligence", "downloader", "belarus", "whispergate", "discord", "february", "themida", "bitcoin", "powershell", "persistence", "dropper", "blackenergy", "confuser" ], "references": [ "https://www.mandiant.com/resources/spear-phish-ukrainian-entities" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Latvia", "Lithuania", "Belarus", "Poland", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [ "Media", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 17, "FileHash-SHA256": 17, "URL": 16, "YARA": 2, "domain": 4 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 507, "modified_text": "1338 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62d948fece9f955974ea49cf", "name": "Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities | Mandiant", "description": "Find out more about Mandiant, the world's leading cyber security company, which provides insights into cyber threats from the frontlines and in the dark web, at the time of the Ukraine crisis.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-21T12:39:26.018000", "tags": [ "grimplant", "graphsteel", "beacon", "microbackdoor", "cobalt strike", "unc2589", "unc1151", "ukraine", "sfx rar", "ua cert", "intelligence", "downloader", "belarus", "whispergate", "discord", "february", "themida", "bitcoin", "powershell", "persistence", "dropper", "blackenergy", "confuser" ], "references": [ "https://www.mandiant.com/resources/spear-phish-ukrainian-entities" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Latvia", "Lithuania", "Belarus", "Poland", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [ "Media", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 17, "FileHash-SHA256": 17, "URL": 16, "YARA": 2, "domain": 4 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 509, "modified_text": "1338 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62d948fec4082fcd8c52d66b", "name": "Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities | Mandiant", "description": "Find out more about Mandiant, the world's leading cyber security company, which provides insights into cyber threats from the frontlines and in the dark web, at the time of the Ukraine crisis.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-21T12:39:26.808000", "tags": [ "grimplant", "graphsteel", "beacon", "microbackdoor", "cobalt strike", "unc2589", "unc1151", "ukraine", "sfx rar", "ua cert", "intelligence", "downloader", "belarus", "whispergate", "discord", "february", "themida", "bitcoin", "powershell", "persistence", "dropper", "blackenergy", "confuser" ], "references": [ "https://www.mandiant.com/resources/spear-phish-ukrainian-entities" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Latvia", "Lithuania", "Belarus", "Poland", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [ "Media", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 17, "FileHash-SHA256": 17, "URL": 16, "YARA": 2, "domain": 4 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 507, "modified_text": "1338 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62d948fe791fe5772e88c58d", "name": "Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities | Mandiant", "description": "Find out more about Mandiant, the world's leading cyber security company, which provides insights into cyber threats from the frontlines and in the dark web, at the time of the Ukraine crisis.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-21T12:39:26.935000", "tags": [ "grimplant", "graphsteel", "beacon", "microbackdoor", "cobalt strike", "unc2589", "unc1151", "ukraine", "sfx rar", "ua cert", "intelligence", "downloader", "belarus", "whispergate", "discord", "february", "themida", "bitcoin", "powershell", "persistence", "dropper", "blackenergy", "confuser" ], "references": [ "https://www.mandiant.com/resources/spear-phish-ukrainian-entities" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Latvia", "Lithuania", "Belarus", "Poland", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [ "Media", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 17, "FileHash-SHA256": 17, "URL": 16, "YARA": 2, "domain": 4 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 507, "modified_text": "1338 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62d948fe6d263bf34889a9e7", "name": "Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities | Mandiant", "description": "Find out more about Mandiant, the world's leading cyber security company, which provides insights into cyber threats from the frontlines and in the dark web, at the time of the Ukraine crisis.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-21T12:39:26.360000", "tags": [ "grimplant", "graphsteel", "beacon", "microbackdoor", "cobalt strike", "unc2589", "unc1151", "ukraine", "sfx rar", "ua cert", "intelligence", "downloader", "belarus", "whispergate", "discord", "february", "themida", "bitcoin", "powershell", "persistence", "dropper", "blackenergy", "confuser" ], "references": [ "https://www.mandiant.com/resources/spear-phish-ukrainian-entities" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Latvia", "Lithuania", "Belarus", "Poland", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [ "Media", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 17, "FileHash-SHA256": 17, "URL": 16, "YARA": 2, "domain": 4 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 509, "modified_text": "1338 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "2021-09-21-Curriculo-IOCs.txt", "https://lab52.io/blog/operation-macromaze-new-apt28-campaign-using-basic-tooling-and-legit-infrastructure/", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph", "https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fraw.githubusercontent.com%2FCYBERCOM-Malware-Alert%2FIOCs%2Fmain%2FUkraine%2520Network%2520IOCs%2520July%252020%25202022.xlsx&wdOrigin=BROWSELINK", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", "https://medium.com/@shubhandrew/analysis-of-a-lummastealer-variant-vbscript-loader-b4f6ce4256c1", "https://www.securonix.com/blog/new-steppykavach-attack-campaign/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Windowtitle", "Grimplant", "Valhalla", "Beacon", "Microbackdoor", "Graphsteel", "Cmd", "Base64", "Lummastealer", "Cobalt strike", "Php", "Html" ], "industries": [ "Government", "Media", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 38, "pulses": [ { "id": "699316a97372a95704b5c326", "name": "Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure", "description": "A summary of the findings from LAB52, the Spanish government\u2019s intelligence unit, which has been monitoring a spear-phishing campaign carried out by the hacker group APT28.", "modified": "2026-02-16T13:07:53.173000", "created": "2026-02-16T13:07:53.173000", "tags": [ "vbscript", "september", "sendkeys", "edge", "microsoft word", "html", "microsoft edge", "html file", "apt28", "january", "headless", "ukraine", "base64", "windowtitle", "cmd" ], "references": [ "https://lab52.io/blog/operation-macromaze-new-apt28-campaign-using-basic-tooling-and-legit-infrastructure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HTML", "display_name": "HTML", "target": null }, { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "WindowTitle", "display_name": "WindowTitle", "target": null }, { "id": "CMD", "display_name": "CMD", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 26, "hostname": 9, "URL": 44, "domain": 3 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "62 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68224616ff63e7e33a1e4fd4", "name": "LummaStealer Variant Delivered via Obfuscated VBScript Loader", "description": "This analysis examines a LummaStealer variant distributed through a heavily obfuscated VBScript loader. The loader employs multiple evasion techniques, including:\nBase64 encoding\nString splitting and concatenation\nString reversal\nEmbedding strings within arrays\nThese methods aim to hinder static analysis and detection.\nUpon execution, the VBScript constructs URLs\u2014some hardcoded IP addresses, others domain names\u2014to connect to command-and-control (C2) servers. It utilizes System.Net.WebClient or Microsoft.XMLHTTP in PowerShell to download additional scripts or executable payloads.\n\nThe downloaded payloads are executed in-memory using Invoke-Expression or Start-Process. In some instances, the payload is written to disk (e.g., %TEMP%) before execution.\nThe malware communicates with multiple domains/IPs for redundancy, potentially performing callbacks for updates or secondary payloads.\nAnti-analysis measures include avoiding clear text commands and hiding indicators and execution paths through encoding.", "modified": "2025-06-11T19:00:21.447000", "created": "2025-05-12T19:03:50.750000", "tags": [ "powershell", "temp", "urls", "startup folder", "exception", "token", "ascii", "base64", "vba script", "vbscript loader", "hosts", "persistence", "config", "loader", "date", "lummastealer" ], "references": [ "https://medium.com/@shubhandrew/analysis-of-a-lummastealer-variant-vbscript-loader-b4f6ce4256c1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lummastealer", "display_name": "Lummastealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "URL": 31, "domain": 7, "hostname": 5 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 173, "modified_text": "312 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6746eae02e409b017dfc3446", "name": "test", "description": "", "modified": "2024-11-27T09:49:56.893000", "created": "2024-11-27T09:48:16.350000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e72e166ce385bcf6a190", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7079 }, "indicator_count": 12733, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746eada877212ce963923c4", "name": "test", "description": "", "modified": "2024-11-27T09:48:10.379000", "created": "2024-11-27T09:48:10.379000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e72e166ce385bcf6a190", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e72e166ce385bcf6a190", "name": "test", "description": "", "modified": "2024-11-27T09:32:30.359000", "created": "2024-11-27T09:32:30.359000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e72528402d5f2b560f94", "name": "test", "description": "", "modified": "2024-11-27T09:32:21.842000", "created": "2024-11-27T09:32:21.842000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f7e75b22b226428b54", "name": "test", "description": "", "modified": "2024-11-27T09:31:35.510000", "created": "2024-11-27T09:31:35.510000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f777858514fd47721b", "name": "test", "description": "", "modified": "2024-11-27T09:31:35.336000", "created": "2024-11-27T09:31:35.336000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f6008916b47ddecc1b", "name": "test", "description": "", "modified": "2024-11-27T09:31:34.682000", "created": "2024-11-27T09:31:34.682000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f69c42d60283e9aa0f", "name": "test", "description": "", "modified": "2024-11-27T09:31:34.344000", "created": "2024-11-27T09:31:34.344000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "shell.run", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "shell.run", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776639543.834909 }