{ "type": "Domain", "indicator": "simos.online", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/simos.online", "alexa": "http://www.alexa.com/siteinfo/simos.online", "indicator": "simos.online", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3930360265, "indicator": "simos.online", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "66b60042a62e4a29587e0e28", "name": "APT Group Kimsuky Targets University Researchers", "description": "A report detailing an ongoing cyberattack campaign by the North Korean APT group Kimsuky, which is targeting university staff, researchers, and professors to conduct espionage and gather intelligence for the North Korean government. The group employs phishing tactics, compromised infrastructure, and customized phishing tools to steal login credentials and gain access to university networks, enabling them to pilfer research and sensitive data.", "modified": "2024-08-09T11:42:42.594000", "created": "2024-08-09T11:40:50.551000", "tags": [ "apt", "universities", "espionage", "phishing", "north korea" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 194, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 9, "email": 13, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "660 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659082b0344ff3780c768636", "name": "APT43", "description": "AKA Kimsuky, Black Banshee, Emerald Sleet, G0086, Operation Stolen Pencil, Thallium, Velvet Chollima.\n\nIOCs gathered from social media, other analysts, and individual research.", "modified": "2024-11-27T13:03:27.333000", "created": "2023-12-30T20:50:56.554000", "tags": [ "APT43", "G0086", "Thallium" ], "references": [ "https://www.virustotal.com/gui/collection/fa039f49cb8d8b0962fc75e9f4e2ae1462000b317be9cc57874f992c4cd30683", "https://malpedia.caad.fkie.fraunhofer.de/actor/kimsuky", "https://socradar.io/apt-profile-kimsuky/", "https://attack.mitre.org/groups/G0094/", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of", "United States of America", "Russian Federation" ], "malware_families": [ { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "Brave Prince - S0252", "display_name": "Brave Prince - S0252", "target": null }, { "id": "CSPY Downloader - S0527", "display_name": "CSPY Downloader - S0527", "target": null }, { "id": "Gold Dragon - S0249", "display_name": "Gold Dragon - S0249", "target": null }, { "id": "KGH_SPY - S0526", "display_name": "KGH_SPY - S0526", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "NOKKI - S0353", "display_name": "NOKKI - S0353", "target": null }, { "id": "PsExec - S0029", "display_name": "PsExec - S0029", "target": null }, { "id": "schtasks - S0111", "display_name": "schtasks - S0111", "target": null } ], "attack_ids": [ { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1560.003", "name": "Archive via Custom Method", "display_name": "T1560.003 - Archive via Custom Method" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1585.002", "name": "Email Accounts", "display_name": "T1585.002 - Email Accounts" }, { "id": "T1546.001", "name": "Change Default File Association", "display_name": "T1546.001 - Change Default File Association" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1589.003", "name": "Employee Names", "display_name": "T1589.003 - Employee Names" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1564.002", "name": "Hidden Users", "display_name": "T1564.002 - Hidden Users" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1588.005", "name": "Exploits", "display_name": "T1588.005 - Exploits" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1550.002", "name": "Pass the Hash", "display_name": "T1550.002 - Pass the Hash" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ajmeese7", "id": "218349", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_218349/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 108, "FileHash-SHA1": 110, "FileHash-SHA256": 131, "domain": 549, "hostname": 154 }, "indicator_count": 1150, "is_author": false, "is_subscribing": null, "subscriber_count": 61, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b6092e8342d551d3d8d966", "name": "APT Group Kimsuky Targets University Researchers - Resilience", "description": "A new report from Resilience suggests that North Korean cyber-espionage group Kimsuky is targeting researchers at universities in South Korea and the United States in order to steal intelligence and research.", "modified": "2024-09-08T12:03:02.703000", "created": "2024-08-09T12:18:54.095000", "tags": [ "kimsuky", "gmail", "screenshot", "daum", "naver", "asan institute", "dinosaur", "bottom", "html", "sendmail", "green", "shell", "fail", "august", "researchers", "green dinosaur", "iocs", "sign", "samples", "github copilot", "search", "strong", "code pull", "breadcrumbs", "directory", "write", "star", "footer", "path", "script", "link", "button", "span", "template", "github", "form", "meta", "code", "reload", "enterprise", "close", "ransomware", "body", "find", "main", "contact" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/", "https://github.com/arceo-labs/iocs/tree/main/APT/Kimsuky", "https://github.com/arceo-labs/iocs/blob/main/APT/Kimsuky/domains.txt" ], "public": 1, "adversary": "Researchers", "targeted_countries": [ "Korea, Republic of", "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Green Dinosaur", "display_name": "Green Dinosaur", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 15, "email": 1, "hostname": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 12 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d6c72469894083a1469201", "name": "APT Group Kimsuky Targets University Researchers - Resilience", "description": "", "modified": "2024-09-03T08:21:56.322000", "created": "2024-09-03T08:21:56.322000", "tags": [ "kimsuky", "gmail", "screenshot", "daum", "naver", "asan institute", "dinosaur", "bottom", "html", "sendmail", "green", "shell", "fail", "august", "researchers", "green dinosaur" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/" ], "public": 1, "adversary": "Researchers", "targeted_countries": [ "Korea, Republic of", "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Green Dinosaur", "display_name": "Green Dinosaur", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "66b98d992cc46b50877b0038", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 9, "email": 1, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "635 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b98d992cc46b50877b0038", "name": "APT Group Kimsuky Targets University Researchers - Resilience", "description": "", "modified": "2024-08-12T04:20:41.444000", "created": "2024-08-12T04:20:41.444000", "tags": [ "kimsuky", "gmail", "screenshot", "daum", "naver", "asan institute", "dinosaur", "bottom", "html", "sendmail", "green", "shell", "fail", "august", "researchers", "green dinosaur" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/" ], "public": 1, "adversary": "Researchers", "targeted_countries": [ "Korea, Republic of", "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Green Dinosaur", "display_name": "Green Dinosaur", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "66b61cb15e91ae3af609205c", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 9, "email": 1, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "657 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b87de0e68b93a190f533aa", "name": "University Researchers Targeted by APT Group Kimsuky", "description": "A report detailing an ongoing cyberattack campaign by the North Korean APT group Kimsuky, which is targeting university staff, researchers, and professors to conduct espionage and gather intelligence for the North Korean government. The group employs phishing tactics, compromised infrastructure, and customized phishing tools to steal login credentials and gain access to university networks, enabling them to pilfer research and sensitive data.", "modified": "2024-08-11T09:01:20.161000", "created": "2024-08-11T09:01:20.161000", "tags": [ "north korea", "phishing", "espionage", "universities", "apt" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers", "Pulse cloned from @Alienvault" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 9, "email": 1, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "658 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b61cb15e91ae3af609205c", "name": "APT Group Kimsuky Targets University Researchers - Resilience", "description": "", "modified": "2024-08-09T13:42:09.887000", "created": "2024-08-09T13:42:09.887000", "tags": [ "kimsuky", "gmail", "screenshot", "daum", "naver", "asan institute", "dinosaur", "bottom", "html", "sendmail", "green", "shell", "fail", "august", "researchers", "green dinosaur" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/" ], "public": 1, "adversary": "Researchers", "targeted_countries": [ "Korea, Republic of", "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Green Dinosaur", "display_name": "Green Dinosaur", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 9, "email": 1, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "660 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/", "https://github.com/arceo-labs/iocs/blob/main/APT/Kimsuky/domains.txt", "https://malpedia.caad.fkie.fraunhofer.de/actor/kimsuky", "Pulse cloned from @Alienvault", "https://socradar.io/apt-profile-kimsuky/", "https://attack.mitre.org/groups/G0094/", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report", "https://github.com/arceo-labs/iocs/tree/main/APT/Kimsuky", "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers", "https://www.virustotal.com/gui/collection/fa039f49cb8d8b0962fc75e9f4e2ae1462000b317be9cc57874f992c4cd30683" ], "related": { "alienvault": { "adversary": [ "Kimsuky" ], "malware_families": [], "industries": [ "Education", "Government" ] }, "other": { "adversary": [ "Researchers", "Kimsuky" ], "malware_families": [ "Cspy downloader - s0527", "Nokki - s0353", "Appleseed - s0622", "Kimsuky", "Mimikatz - s0002", "Kgh_spy - s0526", "Psexec - s0029", "Green dinosaur", "Babyshark - s0414", "Schtasks - s0111", "Brave prince - s0252", "Gold dragon - s0249" ], "industries": [ "Education", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "66b60042a62e4a29587e0e28", "name": "APT Group Kimsuky Targets University Researchers", "description": "A report detailing an ongoing cyberattack campaign by the North Korean APT group Kimsuky, which is targeting university staff, researchers, and professors to conduct espionage and gather intelligence for the North Korean government. The group employs phishing tactics, compromised infrastructure, and customized phishing tools to steal login credentials and gain access to university networks, enabling them to pilfer research and sensitive data.", "modified": "2024-08-09T11:42:42.594000", "created": "2024-08-09T11:40:50.551000", "tags": [ "apt", "universities", "espionage", "phishing", "north korea" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 194, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 9, "email": 13, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "660 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659082b0344ff3780c768636", "name": "APT43", "description": "AKA Kimsuky, Black Banshee, Emerald Sleet, G0086, Operation Stolen Pencil, Thallium, Velvet Chollima.\n\nIOCs gathered from social media, other analysts, and individual research.", "modified": "2024-11-27T13:03:27.333000", "created": "2023-12-30T20:50:56.554000", "tags": [ "APT43", "G0086", "Thallium" ], "references": [ "https://www.virustotal.com/gui/collection/fa039f49cb8d8b0962fc75e9f4e2ae1462000b317be9cc57874f992c4cd30683", "https://malpedia.caad.fkie.fraunhofer.de/actor/kimsuky", "https://socradar.io/apt-profile-kimsuky/", "https://attack.mitre.org/groups/G0094/", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of", "United States of America", "Russian Federation" ], "malware_families": [ { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "Brave Prince - S0252", "display_name": "Brave Prince - S0252", "target": null }, { "id": "CSPY Downloader - S0527", "display_name": "CSPY Downloader - S0527", "target": null }, { "id": "Gold Dragon - S0249", "display_name": "Gold Dragon - S0249", "target": null }, { "id": "KGH_SPY - S0526", "display_name": "KGH_SPY - S0526", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "NOKKI - S0353", "display_name": "NOKKI - S0353", "target": null }, { "id": "PsExec - S0029", "display_name": "PsExec - S0029", "target": null }, { "id": "schtasks - S0111", "display_name": "schtasks - S0111", "target": null } ], "attack_ids": [ { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1560.003", "name": "Archive via Custom Method", "display_name": "T1560.003 - Archive via Custom Method" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1585.002", "name": "Email Accounts", "display_name": "T1585.002 - Email Accounts" }, { "id": "T1546.001", "name": "Change Default File Association", "display_name": "T1546.001 - Change Default File Association" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1589.003", "name": "Employee Names", "display_name": "T1589.003 - Employee Names" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1564.002", "name": "Hidden Users", "display_name": "T1564.002 - Hidden Users" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1588.005", "name": "Exploits", "display_name": "T1588.005 - Exploits" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1550.002", "name": "Pass the Hash", "display_name": "T1550.002 - Pass the Hash" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ajmeese7", "id": "218349", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_218349/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 108, "FileHash-SHA1": 110, "FileHash-SHA256": 131, "domain": 549, "hostname": 154 }, "indicator_count": 1150, "is_author": false, "is_subscribing": null, "subscriber_count": 61, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b6092e8342d551d3d8d966", "name": "APT Group Kimsuky Targets University Researchers - Resilience", "description": "A new report from Resilience suggests that North Korean cyber-espionage group Kimsuky is targeting researchers at universities in South Korea and the United States in order to steal intelligence and research.", "modified": "2024-09-08T12:03:02.703000", "created": "2024-08-09T12:18:54.095000", "tags": [ "kimsuky", "gmail", "screenshot", "daum", "naver", "asan institute", "dinosaur", "bottom", "html", "sendmail", "green", "shell", "fail", "august", "researchers", "green dinosaur", "iocs", "sign", "samples", "github copilot", "search", "strong", "code pull", "breadcrumbs", "directory", "write", "star", "footer", "path", "script", "link", "button", "span", "template", "github", "form", "meta", "code", "reload", "enterprise", "close", "ransomware", "body", "find", "main", "contact" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/", "https://github.com/arceo-labs/iocs/tree/main/APT/Kimsuky", "https://github.com/arceo-labs/iocs/blob/main/APT/Kimsuky/domains.txt" ], "public": 1, "adversary": "Researchers", "targeted_countries": [ "Korea, Republic of", "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Green Dinosaur", "display_name": "Green Dinosaur", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 15, "email": 1, "hostname": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 12 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d6c72469894083a1469201", "name": "APT Group Kimsuky Targets University Researchers - Resilience", "description": "", "modified": "2024-09-03T08:21:56.322000", "created": "2024-09-03T08:21:56.322000", "tags": [ "kimsuky", "gmail", "screenshot", "daum", "naver", "asan institute", "dinosaur", "bottom", "html", "sendmail", "green", "shell", "fail", "august", "researchers", "green dinosaur" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/" ], "public": 1, "adversary": "Researchers", "targeted_countries": [ "Korea, Republic of", "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Green Dinosaur", "display_name": "Green Dinosaur", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "66b98d992cc46b50877b0038", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 9, "email": 1, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "635 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b98d992cc46b50877b0038", "name": "APT Group Kimsuky Targets University Researchers - Resilience", "description": "", "modified": "2024-08-12T04:20:41.444000", "created": "2024-08-12T04:20:41.444000", "tags": [ "kimsuky", "gmail", "screenshot", "daum", "naver", "asan institute", "dinosaur", "bottom", "html", "sendmail", "green", "shell", "fail", "august", "researchers", "green dinosaur" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/" ], "public": 1, "adversary": "Researchers", "targeted_countries": [ "Korea, Republic of", "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Green Dinosaur", "display_name": "Green Dinosaur", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "66b61cb15e91ae3af609205c", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 9, "email": 1, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "657 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b87de0e68b93a190f533aa", "name": "University Researchers Targeted by APT Group Kimsuky", "description": "A report detailing an ongoing cyberattack campaign by the North Korean APT group Kimsuky, which is targeting university staff, researchers, and professors to conduct espionage and gather intelligence for the North Korean government. The group employs phishing tactics, compromised infrastructure, and customized phishing tools to steal login credentials and gain access to university networks, enabling them to pilfer research and sensitive data.", "modified": "2024-08-11T09:01:20.161000", "created": "2024-08-11T09:01:20.161000", "tags": [ "north korea", "phishing", "espionage", "universities", "apt" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers", "Pulse cloned from @Alienvault" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 9, "email": 1, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "658 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b61cb15e91ae3af609205c", "name": "APT Group Kimsuky Targets University Researchers - Resilience", "description": "", "modified": "2024-08-09T13:42:09.887000", "created": "2024-08-09T13:42:09.887000", "tags": [ "kimsuky", "gmail", "screenshot", "daum", "naver", "asan institute", "dinosaur", "bottom", "html", "sendmail", "green", "shell", "fail", "august", "researchers", "green dinosaur" ], "references": [ "https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/" ], "public": 1, "adversary": "Researchers", "targeted_countries": [ "Korea, Republic of", "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Green Dinosaur", "display_name": "Green Dinosaur", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 9, "email": 1, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "660 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "simos.online", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "simos.online", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780266557.2305722 }