{ "type": "Domain", "indicator": "sleepingcontrol.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/sleepingcontrol.com", "alexa": "http://www.alexa.com/siteinfo/sleepingcontrol.com", "indicator": "sleepingcontrol.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2201230226, "indicator": "sleepingcontrol.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "5ef38fa73ccd462e6072ca54", "name": "Glupteba: Hidden Malware Delivery in Plain Sight", "description": "This morning, SophosLabs is publishing a report on a malware family whose infection numbers have been steadily growing since the beginning of the year. This malware, with its hard-to-pronounce name, has been getting regular updates and feature enhancements that seem to be focused on its ability to conceal itself from detection on infected computers.\n\nIn our report, we\u2019ve taken a deep dive into what makes the Glupteba malware distinctive. The core malware is, in essence, a dropper with extensive backdoor functionality, but it is a dropper that goes to great efforts to keep itself, and its various components, hidden from view by the human operator of an infected computer, or the security software charged with its protection.", "modified": "2020-06-24T17:38:47.212000", "created": "2020-06-24T17:38:47.212000", "tags": [ "Glupteba" ], "references": [ "https://github.com/sophoslabs/IoCs/blob/master/Trojan-Glupteba", "https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf", "https://news.sophos.com/en-us/2020/06/24/glupteba-report/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "VirTool:Win64/Glupteba", "display_name": "VirTool:Win64/Glupteba", "target": "/malware/VirTool:Win64/Glupteba" } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 21, "FileHash-SHA256": 10, "URL": 10, "hostname": 1, "BitcoinAddress": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386502, "modified_text": "2166 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5e3d89a082119cabd7d9e5a6", "name": "InstallCapital \u2014 When AdWare Becomes Pay-per-Install Cyber-Crime", "description": "\"With this article we\u2019re trying to raise an alert about Pay-per-Install networks. The security industry has been indulgent with PPI for years considering it just as adware-related but the reality is very different, these networks are potentially huge malware distributors frequently used by various cyber-criminals.\"", "modified": "2020-02-07T16:10:39.127000", "created": "2020-02-07T16:00:32.388000", "tags": [ "Adware", "Crimeware", "PPI" ], "references": [ "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451" ], "public": 1, "adversary": "InstallCapital", "targeted_countries": [], "malware_families": [ { "id": "InstallCapital", "display_name": "InstallCapital", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "hostname": 1, "domain": 15 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386502, "modified_text": "2304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639e7421ba5368c1ca46da6e", "name": "Glupteba malware is back", "description": "", "modified": "2023-01-09T01:02:16.494000", "created": "2022-12-18T02:00:01.565000", "tags": [], "references": [ "December 18th, 2022 - CryptoGen Cyber Threat Intelligence - Glupteba malware is back.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 30, "URL": 12, "hostname": 2, "domain": 56, "CVE": 1, "BitcoinAddress": 20 }, "indicator_count": 159, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1e56b3622762b160953cf", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi Networks provides a comprehensive guide to the best ways to close IoT security gaps in your operations. \u00c2\u00a31.5m of research, development and development in the UK, Ireland, Scotland and Wales.", "modified": "2022-12-20T16:40:11.795000", "created": "2022-12-20T16:40:11.795000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "1257 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1c00e773e7c902b8dae7f", "name": "Malicious Glupteba botnet", "description": "The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from MikroTik and Netgear.\n\nIt's also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2) since at least 2019, rendering its infrastructure resistant to takedown efforts as in the case of a traditional server.", "modified": "2022-12-20T14:00:46.988000", "created": "2022-12-20T14:00:46.988000", "tags": [ "recent sha256", "block explorer", "bitcoin explorer", "blockchain explorer", "transaction search", "bitcoin address", "ethereum address", "ether", "ethereum blockchain", "ethereum transaction", "ethereum unconfirmed transaction", "ethereum explorer", "etherscan", "home prices", "charts nfts", "buy more", "defi academy", "cash btc", "testnet bch", "testnet english", "espaol portugus", "pycc franais", "deutsch usd", "opreturn", "bitcoin", "utxo", "bitcoin core", "opreturn change", "utxo database", "ecdh address", "glupteba", "cyber threats", "malware", "research", "network", "socks proxy", "c server", "trend micro", "glupteba botnet", "mikrotik", "windows", "hkeyusers", "post request", "download", "verify", "enumerate", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", "https://www.trendmicro.com/en_us/research/19/i/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions.html", "https://www.blockchain.com/explorer/addresses/btc/1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 26, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 13, "domain": 62, "URL": 1, "CVE": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1257 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a173fd26be8fd55227067e", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "", "modified": "2022-12-20T08:36:13.699000", "created": "2022-12-20T08:36:13.699000", "tags": [ "glupteba", "campaign", "nozomi networks", "botnet" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "UNKNOWN", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": "63a15d23da6ba2b58272cac6", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 51, "hostname": 1 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1257 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a15d23da6ba2b58272cac6", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi Networks provides a comprehensive guide to the best ways to close IoT security gaps in your operations. 1.5m of research, development and development in the UK, Ireland, Scotland and Wales.", "modified": "2022-12-20T06:58:43.240000", "created": "2022-12-20T06:58:43.240000", "tags": [ "glupteba", "campaign", "nozomi networks", "botnet" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "UNKNOWN", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 51, "hostname": 1 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a06a51dd330cf876dbc282", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi reports that the Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago. Nozomi analysis reveals a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing based on data from blockchain transactions, TLS certificate registrations and reverse engineering Glupteba samples.", "modified": "2022-12-19T13:42:41.740000", "created": "2022-12-19T13:42:41.740000", "tags": [ "malware/glupteba" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a01c1cbcffc92811696826", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Find out more about Nozomi Networks, the UK-based company that provides solutions for OT and IoT security and management services for the pharmaceutical industry and other sectors, including oil and gas operations.", "modified": "2022-12-19T08:09:00.694000", "created": "2022-12-19T08:09:00.694000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639ffce6a10024195feea5e5", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Find out more about Nozomi Networks, the UK-based company that provides solutions for OT and IoT security and management services for the pharmaceutical industry and other sectors, including oil and gas operations.", "modified": "2022-12-19T05:55:50.112000", "created": "2022-12-19T05:55:50.112000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nageswaran", "id": "61577", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1259 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", "https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf", "https://news.sophos.com/en-us/2020/06/24/glupteba-report/", "https://www.blockchain.com/explorer/addresses/btc/1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK", "December 18th, 2022 - CryptoGen Cyber Threat Intelligence - Glupteba malware is back.pdf", "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", "https://www.trendmicro.com/en_us/research/19/i/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions.html", "https://github.com/sophoslabs/IoCs/blob/master/Trojan-Glupteba" ], "related": { "alienvault": { "adversary": [ "InstallCapital" ], "malware_families": [ "Glupteba", "Virtool:win64/glupteba", "Installcapital", "Trojan:win32/glupteba" ], "industries": [] }, "other": { "adversary": [ "Glupteba", "UNKNOWN" ], "malware_families": [ "Glupteba" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "5ef38fa73ccd462e6072ca54", "name": "Glupteba: Hidden Malware Delivery in Plain Sight", "description": "This morning, SophosLabs is publishing a report on a malware family whose infection numbers have been steadily growing since the beginning of the year. This malware, with its hard-to-pronounce name, has been getting regular updates and feature enhancements that seem to be focused on its ability to conceal itself from detection on infected computers.\n\nIn our report, we\u2019ve taken a deep dive into what makes the Glupteba malware distinctive. The core malware is, in essence, a dropper with extensive backdoor functionality, but it is a dropper that goes to great efforts to keep itself, and its various components, hidden from view by the human operator of an infected computer, or the security software charged with its protection.", "modified": "2020-06-24T17:38:47.212000", "created": "2020-06-24T17:38:47.212000", "tags": [ "Glupteba" ], "references": [ "https://github.com/sophoslabs/IoCs/blob/master/Trojan-Glupteba", "https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf", "https://news.sophos.com/en-us/2020/06/24/glupteba-report/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "VirTool:Win64/Glupteba", "display_name": "VirTool:Win64/Glupteba", "target": "/malware/VirTool:Win64/Glupteba" } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 21, "FileHash-SHA256": 10, "URL": 10, "hostname": 1, "BitcoinAddress": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386502, "modified_text": "2166 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5e3d89a082119cabd7d9e5a6", "name": "InstallCapital \u2014 When AdWare Becomes Pay-per-Install Cyber-Crime", "description": "\"With this article we\u2019re trying to raise an alert about Pay-per-Install networks. The security industry has been indulgent with PPI for years considering it just as adware-related but the reality is very different, these networks are potentially huge malware distributors frequently used by various cyber-criminals.\"", "modified": "2020-02-07T16:10:39.127000", "created": "2020-02-07T16:00:32.388000", "tags": [ "Adware", "Crimeware", "PPI" ], "references": [ "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451" ], "public": 1, "adversary": "InstallCapital", "targeted_countries": [], "malware_families": [ { "id": "InstallCapital", "display_name": "InstallCapital", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "hostname": 1, "domain": 15 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386502, "modified_text": "2304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639e7421ba5368c1ca46da6e", "name": "Glupteba malware is back", "description": "", "modified": "2023-01-09T01:02:16.494000", "created": "2022-12-18T02:00:01.565000", "tags": [], "references": [ "December 18th, 2022 - CryptoGen Cyber Threat Intelligence - Glupteba malware is back.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 30, "URL": 12, "hostname": 2, "domain": 56, "CVE": 1, "BitcoinAddress": 20 }, "indicator_count": 159, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1e56b3622762b160953cf", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi Networks provides a comprehensive guide to the best ways to close IoT security gaps in your operations. \u00c2\u00a31.5m of research, development and development in the UK, Ireland, Scotland and Wales.", "modified": "2022-12-20T16:40:11.795000", "created": "2022-12-20T16:40:11.795000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "1257 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1c00e773e7c902b8dae7f", "name": "Malicious Glupteba botnet", "description": "The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from MikroTik and Netgear.\n\nIt's also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2) since at least 2019, rendering its infrastructure resistant to takedown efforts as in the case of a traditional server.", "modified": "2022-12-20T14:00:46.988000", "created": "2022-12-20T14:00:46.988000", "tags": [ "recent sha256", "block explorer", "bitcoin explorer", "blockchain explorer", "transaction search", "bitcoin address", "ethereum address", "ether", "ethereum blockchain", "ethereum transaction", "ethereum unconfirmed transaction", "ethereum explorer", "etherscan", "home prices", "charts nfts", "buy more", "defi academy", "cash btc", "testnet bch", "testnet english", "espaol portugus", "pycc franais", "deutsch usd", "opreturn", "bitcoin", "utxo", "bitcoin core", "opreturn change", "utxo database", "ecdh address", "glupteba", "cyber threats", "malware", "research", "network", "socks proxy", "c server", "trend micro", "glupteba botnet", "mikrotik", "windows", "hkeyusers", "post request", "download", "verify", "enumerate", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", "https://www.trendmicro.com/en_us/research/19/i/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions.html", "https://www.blockchain.com/explorer/addresses/btc/1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 26, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 13, "domain": 62, "URL": 1, "CVE": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1257 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a173fd26be8fd55227067e", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "", "modified": "2022-12-20T08:36:13.699000", "created": "2022-12-20T08:36:13.699000", "tags": [ "glupteba", "campaign", "nozomi networks", "botnet" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "UNKNOWN", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": "63a15d23da6ba2b58272cac6", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 51, "hostname": 1 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1257 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a15d23da6ba2b58272cac6", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi Networks provides a comprehensive guide to the best ways to close IoT security gaps in your operations. 1.5m of research, development and development in the UK, Ireland, Scotland and Wales.", "modified": "2022-12-20T06:58:43.240000", "created": "2022-12-20T06:58:43.240000", "tags": [ "glupteba", "campaign", "nozomi networks", "botnet" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "UNKNOWN", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 51, "hostname": 1 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a06a51dd330cf876dbc282", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi reports that the Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago. Nozomi analysis reveals a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing based on data from blockchain transactions, TLS certificate registrations and reverse engineering Glupteba samples.", "modified": "2022-12-19T13:42:41.740000", "created": "2022-12-19T13:42:41.740000", "tags": [ "malware/glupteba" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a01c1cbcffc92811696826", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Find out more about Nozomi Networks, the UK-based company that provides solutions for OT and IoT security and management services for the pharmaceutical industry and other sectors, including oil and gas operations.", "modified": "2022-12-19T08:09:00.694000", "created": "2022-12-19T08:09:00.694000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639ffce6a10024195feea5e5", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Find out more about Nozomi Networks, the UK-based company that provides solutions for OT and IoT security and management services for the pharmaceutical industry and other sectors, including oil and gas operations.", "modified": "2022-12-19T05:55:50.112000", "created": "2022-12-19T05:55:50.112000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nageswaran", "id": "61577", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1259 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "sleepingcontrol.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "sleepingcontrol.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780212906.119011 }