{ "type": "Domain", "indicator": "skycloudcenter.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/skycloudcenter.com", "alexa": "http://www.alexa.com/siteinfo/skycloudcenter.com", "indicator": "skycloudcenter.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4196846487, "indicator": "skycloudcenter.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69943bc61f75ca18b8da34a2", "name": "Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign", "description": "The Notepad++ supply-chain espionage campaign, attributed to the Chinese cyber-espionage group known as Lotus Blossom (G0030), represents a sophisticated and methodical operation that exploited the software's update mechanism over several months in late 2025 and early 2026. The attackers did not compromise the software's code directly but instead targeted the third-party infrastructure responsible for distributing updates, allowing them to manipulate what users received during updates without altering the underlying codebase. This operation exemplifies the group's characteristic approach of targeting narrow, high-value sets of victims strategically aligned with state intelligence objectives.\n\nLotus Blossom has been active since at least 2009 and is known for its consistent targeting patterns and the strategic choice of operational sectors. Their recent campaign around Notepad++ notably focused on high-value technical roles, particularly developers and system administrators.", "modified": "2026-03-19T09:00:54.097000", "created": "2026-02-17T09:58:30.904000", "tags": [ "lotus blossom", "notepad", "rapid7", "chrysalis", "southeast asia", "iocs", "g0030", "vietnam", "elise", "sagerunex", "cobalt strike", "cobalt", "twitter", "project", "tencent", "cloud", "malware", "nsis", "philippines", "indonesia", "media", "february" ], "references": [ "https://dti.domaintools.com/research/lotus-blossom-and-the-notepad-supply-chain-espionage-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail", "Government", "Telecommunications", "Maritime" ], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "CIDR": 1, "URL": 12, "domain": 2, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6993145f7ae9b05f8279d491", "name": "Nation-State Actors Exploit Notepad++ Supply Chain", "description": "Palo Alto Networks Unit 42 has identified a state-sponsored supply chain attack on Microsoft\u2019s Notepad++, an open-source text editor used by millions of users across Southeast Asia.", "modified": "2026-03-18T12:20:18.560000", "created": "2026-02-16T12:58:07.346000", "tags": [ "notepad", "description", "mitre ttp", "xdrdata", "filter", "cobalt strike", "cortex cloud", "unit", "notepad updater", "dataset", "alliance", "june", "cloud", "attack", "download", "installer", "lua", "chrysalis" ], "references": [ "https://unit42.paloaltonetworks.com/notepad-infrastructure-compromise/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lua", "display_name": "Lua", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Chrysalis", "display_name": "Chrysalis", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Government", "Telecommunications", "Critical Infrastructure", "Energy", "Financial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 15, "URL": 12, "domain": 1, "hostname": 3 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f24a11f045b35eafe8947", "name": "iocssssssssssssssssssssssss", "description": "", "modified": "2026-03-15T13:34:50.742000", "created": "2026-02-13T13:18:25.815000", "tags": [ "ip address", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f24a24890fbbd4ee0f020", "name": "iocssssssssssssssssssssssss", "description": "", "modified": "2026-03-15T13:34:50.742000", "created": "2026-02-13T13:18:26.857000", "tags": [ "ip address", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c53f29613e705f0f89e5a", "name": "EbeeFeb2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T10:03:30.456000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256", "ipv4", "cve20207699 cve" ], "references": [], "public": 1, "adversary": "Campaign involving multi-stage infostealer deployment, Amaranth-Dragon, SystemBC, Notepad++ Compromi", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 131, "FileHash-SHA256": 134, "URL": 86, "domain": 71, "hostname": 30, "CIDR": 1, "CVE": 7 }, "indicator_count": 618, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6982ef4acde512f9c9b72741", "name": "Exploring the C2 Infrastructure of the Notepad++ Compromise", "description": "The cyber attack involving Notepad++ appears to have exploited vulnerabilities in the hosting infrastructure, specifically through a provider linked to Hostinger. The attackers redirected users to a malicious server, enabling them to deliver compromised updates. Key elements of the attack include multiple IP addresses associated with the Command and Control (C2) domain, specifically 95.179.213.0, which was the source of the initial malicious file download, and 61.4.102.97, tied to the http://api.skycloudcenter.com domain that served as the C2 provider over HTTPS.\n\nMalicious operations utilized Cobalt Strike, with the beacon domain http://api.wiresguard.com operational since at least June 2025 and consistently hosted on Cloudflare. The Cobalt Strike beacon was confirmed to use the IP address 59.110.7.32 on port 8880, with additional analysis indicating that it remained accessible until January 2026.", "modified": "2026-03-06T07:03:55.662000", "created": "2026-02-04T07:03:38.145000", "tags": [ "validin", "ip address", "c2 domain", "cobalt strike", "december", "port", "cs beacon", "financial", "rapid7", "sign up", "june", "service", "august", "february", "attack", "contact" ], "references": [ "https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 65, "URL": 60, "domain": 7, "hostname": 7, "FileHash-MD5": 44, "FileHash-SHA256": 44 }, "indicator_count": 227, "is_author": false, "is_subscribing": null, "subscriber_count": 174, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698565ba3253b28503d3cdd6", "name": "IOC - Exploring the C2 Infrastructure of the Notepad++ Compromise", "description": "", "modified": "2026-03-06T07:03:55.662000", "created": "2026-02-06T03:53:30.435000", "tags": [ "validin", "ip address", "c2 domain", "cobalt strike", "december", "port", "cs beacon", "financial", "rapid7", "sign up", "june", "service", "august", "february", "attack", "contact" ], "references": [ "https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "green", "cloned_from": "6982ef4acde512f9c9b72741", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 65, "URL": 60, "domain": 7, "hostname": 7, "FileHash-MD5": 44, "FileHash-SHA256": 44 }, "indicator_count": 227, "is_author": false, "is_subscribing": null, "subscriber_count": 121, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "52 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://dti.domaintools.com/research/lotus-blossom-and-the-notepad-supply-chain-espionage-campaign", "https://unit42.paloaltonetworks.com/notepad-infrastructure-compromise/", "https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Campaign involving multi-stage infostealer deployment, Amaranth-Dragon, SystemBC, Notepad++ Compromi" ], "malware_families": [ "Cobalt strike", "Chrysalis", "Lua" ], "industries": [ "Manufacturing", "Maritime", "Critical infrastructure", "Financial", "Telecommunications", "Retail", "Energy", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69943bc61f75ca18b8da34a2", "name": "Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign", "description": "The Notepad++ supply-chain espionage campaign, attributed to the Chinese cyber-espionage group known as Lotus Blossom (G0030), represents a sophisticated and methodical operation that exploited the software's update mechanism over several months in late 2025 and early 2026. The attackers did not compromise the software's code directly but instead targeted the third-party infrastructure responsible for distributing updates, allowing them to manipulate what users received during updates without altering the underlying codebase. This operation exemplifies the group's characteristic approach of targeting narrow, high-value sets of victims strategically aligned with state intelligence objectives.\n\nLotus Blossom has been active since at least 2009 and is known for its consistent targeting patterns and the strategic choice of operational sectors. Their recent campaign around Notepad++ notably focused on high-value technical roles, particularly developers and system administrators.", "modified": "2026-03-19T09:00:54.097000", "created": "2026-02-17T09:58:30.904000", "tags": [ "lotus blossom", "notepad", "rapid7", "chrysalis", "southeast asia", "iocs", "g0030", "vietnam", "elise", "sagerunex", "cobalt strike", "cobalt", "twitter", "project", "tencent", "cloud", "malware", "nsis", "philippines", "indonesia", "media", "february" ], "references": [ "https://dti.domaintools.com/research/lotus-blossom-and-the-notepad-supply-chain-espionage-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail", "Government", "Telecommunications", "Maritime" ], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "CIDR": 1, "URL": 12, "domain": 2, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6993145f7ae9b05f8279d491", "name": "Nation-State Actors Exploit Notepad++ Supply Chain", "description": "Palo Alto Networks Unit 42 has identified a state-sponsored supply chain attack on Microsoft\u2019s Notepad++, an open-source text editor used by millions of users across Southeast Asia.", "modified": "2026-03-18T12:20:18.560000", "created": "2026-02-16T12:58:07.346000", "tags": [ "notepad", "description", "mitre ttp", "xdrdata", "filter", "cobalt strike", "cortex cloud", "unit", "notepad updater", "dataset", "alliance", "june", "cloud", "attack", "download", "installer", "lua", "chrysalis" ], "references": [ "https://unit42.paloaltonetworks.com/notepad-infrastructure-compromise/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lua", "display_name": "Lua", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Chrysalis", "display_name": "Chrysalis", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Government", "Telecommunications", "Critical Infrastructure", "Energy", "Financial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 15, "URL": 12, "domain": 1, "hostname": 3 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f24a11f045b35eafe8947", "name": "iocssssssssssssssssssssssss", "description": "", "modified": "2026-03-15T13:34:50.742000", "created": "2026-02-13T13:18:25.815000", "tags": [ "ip address", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f24a24890fbbd4ee0f020", "name": "iocssssssssssssssssssssssss", "description": "", "modified": "2026-03-15T13:34:50.742000", "created": "2026-02-13T13:18:26.857000", "tags": [ "ip address", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c53f29613e705f0f89e5a", "name": "EbeeFeb2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T10:03:30.456000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256", "ipv4", "cve20207699 cve" ], "references": [], "public": 1, "adversary": "Campaign involving multi-stage infostealer deployment, Amaranth-Dragon, SystemBC, Notepad++ Compromi", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 131, "FileHash-SHA256": 134, "URL": 86, "domain": 71, "hostname": 30, "CIDR": 1, "CVE": 7 }, "indicator_count": 618, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6982ef4acde512f9c9b72741", "name": "Exploring the C2 Infrastructure of the Notepad++ Compromise", "description": "The cyber attack involving Notepad++ appears to have exploited vulnerabilities in the hosting infrastructure, specifically through a provider linked to Hostinger. The attackers redirected users to a malicious server, enabling them to deliver compromised updates. Key elements of the attack include multiple IP addresses associated with the Command and Control (C2) domain, specifically 95.179.213.0, which was the source of the initial malicious file download, and 61.4.102.97, tied to the http://api.skycloudcenter.com domain that served as the C2 provider over HTTPS.\n\nMalicious operations utilized Cobalt Strike, with the beacon domain http://api.wiresguard.com operational since at least June 2025 and consistently hosted on Cloudflare. The Cobalt Strike beacon was confirmed to use the IP address 59.110.7.32 on port 8880, with additional analysis indicating that it remained accessible until January 2026.", "modified": "2026-03-06T07:03:55.662000", "created": "2026-02-04T07:03:38.145000", "tags": [ "validin", "ip address", "c2 domain", "cobalt strike", "december", "port", "cs beacon", "financial", "rapid7", "sign up", "june", "service", "august", "february", "attack", "contact" ], "references": [ "https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 65, "URL": 60, "domain": 7, "hostname": 7, "FileHash-MD5": 44, "FileHash-SHA256": 44 }, "indicator_count": 227, "is_author": false, "is_subscribing": null, "subscriber_count": 174, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698565ba3253b28503d3cdd6", "name": "IOC - Exploring the C2 Infrastructure of the Notepad++ Compromise", "description": "", "modified": "2026-03-06T07:03:55.662000", "created": "2026-02-06T03:53:30.435000", "tags": [ "validin", "ip address", "c2 domain", "cobalt strike", "december", "port", "cs beacon", "financial", "rapid7", "sign up", "june", "service", "august", "february", "attack", "contact" ], "references": [ "https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "green", "cloned_from": "6982ef4acde512f9c9b72741", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 65, "URL": 60, "domain": 7, "hostname": 7, "FileHash-MD5": 44, "FileHash-SHA256": 44 }, "indicator_count": 227, "is_author": false, "is_subscribing": null, "subscriber_count": 121, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "52 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "skycloudcenter.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "skycloudcenter.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776613001.3585649 }