{ "type": "Domain", "indicator": "shepinspect.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/shepinspect.com", "alexa": "http://www.alexa.com/siteinfo/shepinspect.com", "indicator": "shepinspect.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4225631244, "indicator": "shepinspect.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69c5e4ddc46bf7f11bc53115", "name": "Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government", "description": "Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a Southeast Asian government organization between June and August 2025. Three distinct activity clusters were identified: Stately Taurus, CL-STA-1048, and CL-STA-1049. Stately Taurus used USB-propagated malware to deploy the PUBLOAD backdoor. CL-STA-1048 employed an espionage toolkit including EggStremeFuel backdoor, Masol RAT, and other tools. CL-STA-1049 utilized a novel Hypnosis loader to deploy FluffyGh0st RAT. These clusters show significant overlap with known China-aligned campaigns, suggesting a coordinated effort to establish persistent access and exfiltrate sensitive data from government networks. The convergence of multiple threat actors indicates a complex, well-resourced operation with a common strategic objective.", "modified": "2026-04-26T02:17:47.118000", "created": "2026-03-27T02:01:01.438000", "tags": [ "cl-sta-1048", "eggstremefuel", "cl-sta-1049", "coolclient", "claimloader", "gorem", "stately taurus", "backdoor", "pubload", "usbfect", "hypnosis loader", "masol", "fluffygh0st" ], "references": [ "https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/08_Nation-State-cyberattacks_1920x900.jpg" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "USBFect", "display_name": "USBFect", "target": null }, { "id": "PUBLOAD", "display_name": "PUBLOAD", "target": null }, { "id": "EggStremeFuel", "display_name": "EggStremeFuel", "target": null }, { "id": "Masol", "display_name": "Masol", "target": null }, { "id": "Gorem", "display_name": "Gorem", "target": null }, { "id": "TrackBak", "display_name": "TrackBak", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Hypnosis loader", "display_name": "Hypnosis loader", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ClaimLoader", "display_name": "ClaimLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 29, "domain": 6, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 386448, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699e76bb092a7cadf2ef9ddd", "name": "DEFENDER's TI (Compiled)", "description": "This pulse contains IOC's shared by Defender in the Threat Analytics blogs and more.", "modified": "2026-05-13T11:08:51.619000", "created": "2026-02-25T04:12:43.120000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sharkstriker_soc", "id": "139120", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "domain": 68, "hostname": 389, "FileHash-MD5": 332, "FileHash-SHA1": 326, "FileHash-SHA256": 1063, "email": 1 }, "indicator_count": 2244, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cba99133e99e8a1bdbfb02", "name": "Stately Taurus and Allied Clusters Orchestrate Persistent Espionage Campaign Against Southeast Asian", "description": "", "modified": "2026-04-30T11:18:41.744000", "created": "2026-03-31T11:01:37.579000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "domain": 6, "hostname": 2 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb27ea28c3724009d4c9ba", "name": "IOC - Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government", "description": "Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a government organization in Southeast Asia. Our initial investigation began with tracking Stately Taurus activity between June 1\u2013Aug. 15, 2025. This activity involves USB-propagated malware called USBFect (aka HIUPAN), which deploys a PUBLOAD backdoor. Our investigation led to the discovery of two additional, distinct activity clusters we\u2019re tracking as CL-STA-1048 and CL-STA-1049.", "modified": "2026-04-30T01:01:43.658000", "created": "2026-03-31T01:48:26.657000", "tags": [ "sha256 hashes", "ipv4", "additional" ], "references": [ "https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 26, "domain": 6, "hostname": 2 }, "indicator_count": 68, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca1c1ecf61f6cd139af621", "name": "Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government", "description": "", "modified": "2026-04-26T02:17:47.118000", "created": "2026-03-30T06:45:50.739000", "tags": [ "cl-sta-1048", "eggstremefuel", "cl-sta-1049", "coolclient", "claimloader", "gorem", "stately taurus", "backdoor", "pubload", "usbfect", "hypnosis loader", "masol", "fluffygh0st" ], "references": [ "https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/08_Nation-State-cyberattacks_1920x900.jpg" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "USBFect", "display_name": "USBFect", "target": null }, { "id": "PUBLOAD", "display_name": "PUBLOAD", "target": null }, { "id": "EggStremeFuel", "display_name": "EggStremeFuel", "target": null }, { "id": "Masol", "display_name": "Masol", "target": null }, { "id": "Gorem", "display_name": "Gorem", "target": null }, { "id": "TrackBak", "display_name": "TrackBak", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Hypnosis loader", "display_name": "Hypnosis loader", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ClaimLoader", "display_name": "ClaimLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "69c5e4ddc46bf7f11bc53115", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 29, "domain": 6, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699cd39f1b38b1a933bf5559", "name": "Attribution in Action: Case Study of a Multi-Cluster Espionage Incident Targeting the South China Sea Region", "description": "The report details the ongoing espionage activities linked to various cyber threat actors, focusing primarily on two clusters: CL-STA-1048 and CL-STA-1049, with suspected ties to the Earth Estries threat group and others such as Unfading Sea Haze and Stately Taurus. These clusters have primarily targeted regions in the Philippines, Taiwan, and Malaysia since 2018 and maintain a high likelihood of being motivated by espionage interests.\n\nThe toolset observed within the CL-STA-1048 cluster includes notable malware like RawCookie (also known as EggStreme Fuel), EggStreme Loader, Gorem RAT (which serves as an advanced backdoor), PoshRAT, and Masol RAT. RawCookie appears to be designed for initial backdoor operations, while Gorem RAT operates as the primary and more sophisticated backdoor, utilizing gRPC and Protocol Buffers for communication. The malware demonstrates a comprehensive infection chain, employing DLL sideloading,", "modified": "2026-03-25T22:08:44.661000", "created": "2026-02-23T22:24:31.136000", "tags": [], "references": [ "https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_4_hiroaki_hara-doel_santos_en.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 26, "domain": 6, "hostname": 2 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/", "IOCs.2026.pdf", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/08_Nation-State-cyberattacks_1920x900.jpg", "https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_4_hiroaki_hara-doel_santos_en.pdf", "Book1.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Trackbak", "Hypnosis loader", "Masol", "Gorem", "Claimloader", "Pubload", "Coolclient", "Fluffygh0st", "Usbfect", "Eggstremefuel" ], "industries": [ "Government" ] }, "other": { "adversary": [ "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key" ], "malware_families": [ "Trackbak", "Hypnosis loader", "Masol", "Gorem", "Claimloader", "Pubload", "Coolclient", "Fluffygh0st", "Usbfect", "Eggstremefuel" ], "industries": [ "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69c5e4ddc46bf7f11bc53115", "name": "Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government", "description": "Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a Southeast Asian government organization between June and August 2025. Three distinct activity clusters were identified: Stately Taurus, CL-STA-1048, and CL-STA-1049. Stately Taurus used USB-propagated malware to deploy the PUBLOAD backdoor. CL-STA-1048 employed an espionage toolkit including EggStremeFuel backdoor, Masol RAT, and other tools. CL-STA-1049 utilized a novel Hypnosis loader to deploy FluffyGh0st RAT. These clusters show significant overlap with known China-aligned campaigns, suggesting a coordinated effort to establish persistent access and exfiltrate sensitive data from government networks. The convergence of multiple threat actors indicates a complex, well-resourced operation with a common strategic objective.", "modified": "2026-04-26T02:17:47.118000", "created": "2026-03-27T02:01:01.438000", "tags": [ "cl-sta-1048", "eggstremefuel", "cl-sta-1049", "coolclient", "claimloader", "gorem", "stately taurus", "backdoor", "pubload", "usbfect", "hypnosis loader", "masol", "fluffygh0st" ], "references": [ "https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/08_Nation-State-cyberattacks_1920x900.jpg" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "USBFect", "display_name": "USBFect", "target": null }, { "id": "PUBLOAD", "display_name": "PUBLOAD", "target": null }, { "id": "EggStremeFuel", "display_name": "EggStremeFuel", "target": null }, { "id": "Masol", "display_name": "Masol", "target": null }, { "id": "Gorem", "display_name": "Gorem", "target": null }, { "id": "TrackBak", "display_name": "TrackBak", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Hypnosis loader", "display_name": "Hypnosis loader", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ClaimLoader", "display_name": "ClaimLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 29, "domain": 6, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 386448, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699e76bb092a7cadf2ef9ddd", "name": "DEFENDER's TI (Compiled)", "description": "This pulse contains IOC's shared by Defender in the Threat Analytics blogs and more.", "modified": "2026-05-13T11:08:51.619000", "created": "2026-02-25T04:12:43.120000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sharkstriker_soc", "id": "139120", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "domain": 68, "hostname": 389, "FileHash-MD5": 332, "FileHash-SHA1": 326, "FileHash-SHA256": 1063, "email": 1 }, "indicator_count": 2244, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cba99133e99e8a1bdbfb02", "name": "Stately Taurus and Allied Clusters Orchestrate Persistent Espionage Campaign Against Southeast Asian", "description": "", "modified": "2026-04-30T11:18:41.744000", "created": "2026-03-31T11:01:37.579000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "domain": 6, "hostname": 2 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb27ea28c3724009d4c9ba", "name": "IOC - Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government", "description": "Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a government organization in Southeast Asia. Our initial investigation began with tracking Stately Taurus activity between June 1\u2013Aug. 15, 2025. This activity involves USB-propagated malware called USBFect (aka HIUPAN), which deploys a PUBLOAD backdoor. Our investigation led to the discovery of two additional, distinct activity clusters we\u2019re tracking as CL-STA-1048 and CL-STA-1049.", "modified": "2026-04-30T01:01:43.658000", "created": "2026-03-31T01:48:26.657000", "tags": [ "sha256 hashes", "ipv4", "additional" ], "references": [ "https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 26, "domain": 6, "hostname": 2 }, "indicator_count": 68, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca1c1ecf61f6cd139af621", "name": "Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government", "description": "", "modified": "2026-04-26T02:17:47.118000", "created": "2026-03-30T06:45:50.739000", "tags": [ "cl-sta-1048", "eggstremefuel", "cl-sta-1049", "coolclient", "claimloader", "gorem", "stately taurus", "backdoor", "pubload", "usbfect", "hypnosis loader", "masol", "fluffygh0st" ], "references": [ "https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/08_Nation-State-cyberattacks_1920x900.jpg" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "USBFect", "display_name": "USBFect", "target": null }, { "id": "PUBLOAD", "display_name": "PUBLOAD", "target": null }, { "id": "EggStremeFuel", "display_name": "EggStremeFuel", "target": null }, { "id": "Masol", "display_name": "Masol", "target": null }, { "id": "Gorem", "display_name": "Gorem", "target": null }, { "id": "TrackBak", "display_name": "TrackBak", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Hypnosis loader", "display_name": "Hypnosis loader", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ClaimLoader", "display_name": "ClaimLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "69c5e4ddc46bf7f11bc53115", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 29, "domain": 6, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699cd39f1b38b1a933bf5559", "name": "Attribution in Action: Case Study of a Multi-Cluster Espionage Incident Targeting the South China Sea Region", "description": "The report details the ongoing espionage activities linked to various cyber threat actors, focusing primarily on two clusters: CL-STA-1048 and CL-STA-1049, with suspected ties to the Earth Estries threat group and others such as Unfading Sea Haze and Stately Taurus. These clusters have primarily targeted regions in the Philippines, Taiwan, and Malaysia since 2018 and maintain a high likelihood of being motivated by espionage interests.\n\nThe toolset observed within the CL-STA-1048 cluster includes notable malware like RawCookie (also known as EggStreme Fuel), EggStreme Loader, Gorem RAT (which serves as an advanced backdoor), PoshRAT, and Masol RAT. RawCookie appears to be designed for initial backdoor operations, while Gorem RAT operates as the primary and more sophisticated backdoor, utilizing gRPC and Protocol Buffers for communication. The malware demonstrates a comprehensive infection chain, employing DLL sideloading,", "modified": "2026-03-25T22:08:44.661000", "created": "2026-02-23T22:24:31.136000", "tags": [], "references": [ "https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_4_hiroaki_hara-doel_santos_en.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 26, "domain": 6, "hostname": 2 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "shepinspect.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "shepinspect.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173804.72682 }