{ "type": "Domain", "indicator": "shetrn2.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/shetrn2.com", "alexa": "http://www.alexa.com/siteinfo/shetrn2.com", "indicator": "shetrn2.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3637358703, "indicator": "shetrn2.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "674de977b41339ca66388410", "name": "Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT", "description": "The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitimate-looking file names to trick users. The attackers, likely associated with the TA569 group, gain remote access to infected systems and potentially sell this access to other cybercriminals. The campaign has affected over a thousand users, primarily in Russia, and has been observed attempting to install additional malware like Rhadamanthys and Meduza stealers.", "modified": "2024-12-03T15:13:21.665000", "created": "2024-12-02T17:08:07.758000", "tags": [ "meduza", "remote access", "burnsrat", "netsupport rat" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "Mustard Tempest", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "BurnsRAT", "display_name": "BurnsRAT", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Meduza", "display_name": "Meduza", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 6, "domain": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386506, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fcc40dc61f21260d830fdb", "name": "TA569: SocGholish and Beyond", "description": "TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. In the past few months researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish \u201cFake Update\u201d JavaScript packages.", "modified": "2023-03-29T14:02:58.543000", "created": "2023-02-27T14:54:04.724000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 422, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 386507, "modified_text": "1158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678aa23dfce9a3d3819821b0", "name": "NetSupport RAT c2", "description": "NetSupport RAT C2 Servers", "modified": "2025-05-28T11:48:56.371000", "created": "2025-01-17T18:32:29.882000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nalbright", "id": "356", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_356/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "domain": 109, "hostname": 10 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 101, "modified_text": "367 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674f6fd8047b5a24c9b5791f", "name": "Horns&Hooves Campaign Targets Users with Malware via Phishing", "description": "Researchers have identified a malware campaign known as Horns&Hooves, targeting private users, retailers, and service businesses primarily in Russia. The campaign has affected over 1,000 victims since its onset in March 2023. Its primary tactic involves sending emails that appear legitimate, featuring ZIP archives that contain JScript scripts. These scripts are cleverly disguised as routine business communications like customer requests or partnership bids.", "modified": "2025-01-06T23:11:08.362000", "created": "2024-12-03T20:53:44.192000", "tags": [ "burnsrat", "javascript", "malware", "malware descriptions", "malware statistics", "malware technologies", "netsupport rat", "phishing", "rat trojan", "horns", "ta569", "hooves", "request", "appdata", "rdp wrapper", "zip archive", "september", "april", "openssl", "august", "malicious", "capture", "june", "february", "date", "meduza", "\u0437\u0430\u043f\u0440\u043e\u0441", "trojans", "horns&hooves", "rms", "netsupport" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "Germany", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "\u0417\u0430\u043f\u0440\u043e\u0441", "display_name": "\u0417\u0430\u043f\u0440\u043e\u0441", "target": null }, { "id": "Trojans", "display_name": "Trojans", "target": null }, { "id": "Horns&Hooves", "display_name": "Horns&Hooves", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 18, "domain": 9, "hostname": 1 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67514f2253fa2f77d5438f06", "name": "Horns&Hooves Campaign Delivers NetSupport RAT and BurnsRAT", "description": "", "modified": "2025-01-06T23:11:01.995000", "created": "2024-12-05T06:58:42.289000", "tags": [ "http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 14, "domain": 9 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6751b435e2401f5c2025d1cb", "name": "NetSupport RAT and RMS in malicious emails | Securelist", "description": "A Russian cyber-security firm, Kaspersky, has revealed details of a malicious email campaign that began in September 2016 and will last for at least three years to the end of the year.", "modified": "2025-01-06T23:11:01.995000", "created": "2024-12-05T14:09:57.863000", "tags": [ "burnsrat", "javascript", "malware", "malware descriptions", "malware statistics", "malware technologies", "netsupport rat", "phishing", "rat trojan", "horns", "ta569", "hooves", "request", "appdata", "rdp wrapper", "zip archive", "september", "april", "openssl", "rhadamanthys", "august", "malicious", "capture", "june", "february", "date", "meduza", "\u0437\u0430\u043f\u0440\u043e\u0441", "trojans", "horns&hooves", "rms", "netsupport" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "Germany", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "\u0417\u0430\u043f\u0440\u043e\u0441", "display_name": "\u0417\u0430\u043f\u0440\u043e\u0441", "target": null }, { "id": "Trojans", "display_name": "Trojans", "target": null }, { "id": "Horns&Hooves", "display_name": "Horns&Hooves", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 18, "domain": 9, "hostname": 1 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6750c2e7eef066399d8e9f6f", "name": "TI Advisory No-ESAF-SOC-TI-427", "description": "New Cyberattack Uses NetSupport and BurnsRAT", "modified": "2024-12-04T21:00:23.321000", "created": "2024-12-04T21:00:23.321000", "tags": [], "references": [], "public": 1, "adversary": "TI Advisory No-ESAF-SOC-TI-427", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 9, "URL": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "542 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fc6dfa5a75c6105e62838c", "name": "TA569: SocGholish and Beyond | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity company, in a series of online resources and webinar webinings. and information on how to protect your people, data and brand.", "modified": "2024-04-12T14:10:43.087000", "created": "2023-02-27T08:46:50.465000", "tags": [ "netsupport", "socgholish", "bec", "javascript", "redline", "ta569", "strong", "proofpoint", "sczriptzzbn", "netsupport rat", "beyond", "english", "learn", "rats", "local", "solarmarker", "august", "protect", "small", "tools", "february", "service", "redline stealer", "icedid", "stealer", "unknown", "hades", "back", "lockbit", "sanctions", "wastedlocker", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond", "https://x.com/ajmeese7/status/1748137181988667622?s=20" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 160, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 25 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 866, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641dca4956bddac52c6b9fe8", "name": "Phishing Lures Used To Drop Malware", "description": "An attack campaign used various injections and traffic distribution systems (TDS) to drop commodity malware including RedLine Stealer, SocGholish, NetSupport, and SolarMarker. Compromised websites and phishing emails with malicious links were used as the initial infection vectors. Various themes were used to convince users to visit the sites including fake browser, security software, and DDoS protection updates and unsolvable captcha puzzles. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-24T16:05:29.119000", "tags": [ "https", "netsupport", "socgholish", "bec", "javascript", "redline", "ta569", "strong", "proofpoint", "sczriptzzbn", "netsupport rat", "beyond", "english", "learn", "rats", "local", "solarmarker", "august", "protect", "small", "tools", "february", "service", "redline stealer", "icedid", "stealer", "unknown", "hades", "back", "lockbit", "sanctions", "wastedlocker", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 31, "FileHash-SHA1": 30, "FileHash-SHA256": 31, "URL": 11, "domain": 19, "hostname": 159 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 247, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fd5dd8d01c11570ad7e6de", "name": "TA569 Inject Websites To Distribute SocGholish Malware", "description": "", "modified": "2023-03-30T01:02:06.013000", "created": "2023-02-28T01:50:15.145000", "tags": [], "references": [ "February 28th, 2023 - CryptoGen Cyber Threat Intelligence - TA569 Inject Websites To Distribute SocGholish Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 31, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 236, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "1158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fd5ddb6ea002849d3fcee6", "name": "TA569 Inject Websites To Distribute SocGholish Malware", "description": "", "modified": "2023-03-30T01:02:06.013000", "created": "2023-02-28T01:50:19.405000", "tags": [], "references": [ "February 28th, 2023 - CryptoGen Cyber Threat Intelligence - TA569 Inject Websites To Distribute SocGholish Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 31, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 236, "is_author": false, "is_subscribing": null, "subscriber_count": 503, "modified_text": "1158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fda20a5957603e94f0ffb6", "name": "TA569: SocGholish and Beyond", "description": "", "modified": "2023-03-29T14:02:58.543000", "created": "2023-02-28T06:41:14.761000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "63fcc40dc61f21260d830fdb", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 189, "modified_text": "1158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fe472ce41e914efa085a72", "name": "TA569: SocGholish and Beyond", "description": "A569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. In the past few months Proofpoint researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish \u201cFake Update\u201d JavaScript packages. Such changes, and the frequency of said changes, are likely in response to two things: efficacy data collected during the attack chain and profitability.", "modified": "2023-03-29T14:02:58.543000", "created": "2023-02-28T18:25:48.809000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "63fcc40dc61f21260d830fdb", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64058f7276747541caf87ea1", "name": "TA569: SocGholish and Beyond", "description": "", "modified": "2023-03-29T14:02:58.543000", "created": "2023-03-06T07:00:02.955000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "63fda20a5957603e94f0ffb6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "Gh0stGambit", "Winos4.0 RAT", "Advanced Evasion Techniques Used by NonEuclid RAT", "PyPI-AIOCPA", "PUMAKIT", "Microsoft Advertisers Phished via Malicious Google Ads", "Shadowroot Ransomware", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond", "MirrorFace Campain", "The New Ransomware Menace Vgod Gains Momentum", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "OtterCookie used by Contagious Interview", "Python NodeStealer", "Phobos ransomware", "DarkGate", "Snake Keylogger", "Avast-Anti-Root-KIt", "play ransomware", "Stealers on the Rise", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "https://threatfox.abuse.ch/export/csv/recent/", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Fake game sites lead to information stealers", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "SteelFox Trojan", "BrazenBamboo", "Cloud Atlas seen using a new tool in its attacks", "MUT-1244-GitHub", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "Threat Surge as Lumma Stealer Expands Its Reach", "February 28th, 2023 - CryptoGen Cyber Threat Intelligence - TA569 Inject Websites To Distribute SocGholish Malware.pdf", "Bumblebee Malware", "Glove-Stealer", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "LegionLoader Malware Expands Global Reach", "Helldown Ransomware", "NetSupport RAT and BurnsRAT", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "Demodex rootkit", "clickfix-tactic", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "horns-hooves", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "MALLOX RANSOMWARE", "UAC-0185 attacks warned by CERT-UA", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "PXA Stealer", "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/", "Visual Studio Code Remote tunnels", "HotPage.exe (malware)", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Ransomware-Lockbit3-IOCs.csv", "GamaCopy APT Group Mimicking GamaRedon", "SecTopRAT", "ACR Stealer", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "Weaponized Software Targeting Chinese Organizations", "Rspack_Compromised_Packages", "BugSleep Malware", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "Espionage Campaign Targeting South Asian Entities", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Bitter APT", "SpyGlace", "Remcos RAT", "Salt Typhoon Target U.S. Telecom Networks", "NEW.txt", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "APT36", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "AsyncRAT Reloaded", "https://x.com/ajmeese7/status/1748137181988667622?s=20", "romcom-exploits-firefox-and-windows", "MEKOTIO BANKING TROJAN", "WezRat Malware", "SmokeLoader", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "RansomHub Affiliate leverages Python-based backdoor", "CloudScout_ Evasive Panda scouting cloud services", "The Return of PlugX Malware with Fresh Tricks", "From Stealers to Ransomware PureCrypter Delivers It All", "Bootkitty", "U.S. Organization in China Targeted by Attackers", "Rockstar-Phishing", "babbleloader", "TAG-100", "Sock5Systemz-PROXY-AM", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "FatalRAT", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Silent Skimmer Gets Loud (Again)", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "Hundreds of fake Reddit sites push Lumma Stealer malware", "MintsLoader_Stealc", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "solana-backdoor", "HawkEye Malware", "Akira Ransomware", "macOS Users Targeted by the New Variant of Banshee Infostealer", "ELDORADO RANSOMWARE", "Fake Discount Sites Exploit Black Friday", "WolfsBane Backdoor", "SystemBC RAT Poses New Risks to Linux System", "RustyStealer and New Ymir Ransomware", "NOOPDOOR Malware", "BellaCpp", "bootkitty(logofail)", "APT-K-47", "Christmas-Themed LNK Files Used for Malware Delivery", "Qilin Ransomware", "InvisibleFerret Malware Leveraging Python for Targeted Attacks" ], "related": { "alienvault": { "adversary": [ "Mustard Tempest" ], "malware_families": [ "Netsupport rat", "Socgholish", "Icedid", "Rhadamanthys", "Burnsrat", "Redline", "Meduza", "Solarmarker" ], "industries": [ "Retail" ] }, "other": { "adversary": [ "TA569", "TI Advisory No-ESAF-SOC-TI-427" ], "malware_families": [ "Bec", "Invisibleferret", "Netsupport rat", "Trojanspy", "Socgholish", "\u0417\u0430\u043f\u0440\u043e\u0441", "Icedid", "Javascript", "Vant", "Rms", "Msi", "Trojans", "Redline", "Mekotio banking", "Netsupport", "Solarmarker", "Horns&hooves" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "674de977b41339ca66388410", "name": "Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT", "description": "The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitimate-looking file names to trick users. The attackers, likely associated with the TA569 group, gain remote access to infected systems and potentially sell this access to other cybercriminals. The campaign has affected over a thousand users, primarily in Russia, and has been observed attempting to install additional malware like Rhadamanthys and Meduza stealers.", "modified": "2024-12-03T15:13:21.665000", "created": "2024-12-02T17:08:07.758000", "tags": [ "meduza", "remote access", "burnsrat", "netsupport rat" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "Mustard Tempest", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "BurnsRAT", "display_name": "BurnsRAT", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Meduza", "display_name": "Meduza", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 6, "domain": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386506, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fcc40dc61f21260d830fdb", "name": "TA569: SocGholish and Beyond", "description": "TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. In the past few months researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish \u201cFake Update\u201d JavaScript packages.", "modified": "2023-03-29T14:02:58.543000", "created": "2023-02-27T14:54:04.724000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 422, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 386507, "modified_text": "1158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678aa23dfce9a3d3819821b0", "name": "NetSupport RAT c2", "description": "NetSupport RAT C2 Servers", "modified": "2025-05-28T11:48:56.371000", "created": "2025-01-17T18:32:29.882000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nalbright", "id": "356", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_356/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "domain": 109, "hostname": 10 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 101, "modified_text": "367 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674f6fd8047b5a24c9b5791f", "name": "Horns&Hooves Campaign Targets Users with Malware via Phishing", "description": "Researchers have identified a malware campaign known as Horns&Hooves, targeting private users, retailers, and service businesses primarily in Russia. The campaign has affected over 1,000 victims since its onset in March 2023. Its primary tactic involves sending emails that appear legitimate, featuring ZIP archives that contain JScript scripts. These scripts are cleverly disguised as routine business communications like customer requests or partnership bids.", "modified": "2025-01-06T23:11:08.362000", "created": "2024-12-03T20:53:44.192000", "tags": [ "burnsrat", "javascript", "malware", "malware descriptions", "malware statistics", "malware technologies", "netsupport rat", "phishing", "rat trojan", "horns", "ta569", "hooves", "request", "appdata", "rdp wrapper", "zip archive", "september", "april", "openssl", "august", "malicious", "capture", "june", "february", "date", "meduza", "\u0437\u0430\u043f\u0440\u043e\u0441", "trojans", "horns&hooves", "rms", "netsupport" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "Germany", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "\u0417\u0430\u043f\u0440\u043e\u0441", "display_name": "\u0417\u0430\u043f\u0440\u043e\u0441", "target": null }, { "id": "Trojans", "display_name": "Trojans", "target": null }, { "id": "Horns&Hooves", "display_name": "Horns&Hooves", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 18, "domain": 9, "hostname": 1 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67514f2253fa2f77d5438f06", "name": "Horns&Hooves Campaign Delivers NetSupport RAT and BurnsRAT", "description": "", "modified": "2025-01-06T23:11:01.995000", "created": "2024-12-05T06:58:42.289000", "tags": [ "http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 14, "domain": 9 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6751b435e2401f5c2025d1cb", "name": "NetSupport RAT and RMS in malicious emails | Securelist", "description": "A Russian cyber-security firm, Kaspersky, has revealed details of a malicious email campaign that began in September 2016 and will last for at least three years to the end of the year.", "modified": "2025-01-06T23:11:01.995000", "created": "2024-12-05T14:09:57.863000", "tags": [ "burnsrat", "javascript", "malware", "malware descriptions", "malware statistics", "malware technologies", "netsupport rat", "phishing", "rat trojan", "horns", "ta569", "hooves", "request", "appdata", "rdp wrapper", "zip archive", "september", "april", "openssl", "rhadamanthys", "august", "malicious", "capture", "june", "february", "date", "meduza", "\u0437\u0430\u043f\u0440\u043e\u0441", "trojans", "horns&hooves", "rms", "netsupport" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "Germany", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "\u0417\u0430\u043f\u0440\u043e\u0441", "display_name": "\u0417\u0430\u043f\u0440\u043e\u0441", "target": null }, { "id": "Trojans", "display_name": "Trojans", "target": null }, { "id": "Horns&Hooves", "display_name": "Horns&Hooves", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 18, "domain": 9, "hostname": 1 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6750c2e7eef066399d8e9f6f", "name": "TI Advisory No-ESAF-SOC-TI-427", "description": "New Cyberattack Uses NetSupport and BurnsRAT", "modified": "2024-12-04T21:00:23.321000", "created": "2024-12-04T21:00:23.321000", "tags": [], "references": [], "public": 1, "adversary": "TI Advisory No-ESAF-SOC-TI-427", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 9, "URL": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "542 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fc6dfa5a75c6105e62838c", "name": "TA569: SocGholish and Beyond | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity company, in a series of online resources and webinar webinings. and information on how to protect your people, data and brand.", "modified": "2024-04-12T14:10:43.087000", "created": "2023-02-27T08:46:50.465000", "tags": [ "netsupport", "socgholish", "bec", "javascript", "redline", "ta569", "strong", "proofpoint", "sczriptzzbn", "netsupport rat", "beyond", "english", "learn", "rats", "local", "solarmarker", "august", "protect", "small", "tools", "february", "service", "redline stealer", "icedid", "stealer", "unknown", "hades", "back", "lockbit", "sanctions", "wastedlocker", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond", "https://x.com/ajmeese7/status/1748137181988667622?s=20" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 160, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 25 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 866, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "shetrn2.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "shetrn2.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780221899.0613024 }