{ "type": "Domain", "indicator": "smtprelayhost.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/smtprelayhost.com", "alexa": "http://www.alexa.com/siteinfo/smtprelayhost.com", "indicator": "smtprelayhost.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 955319, "indicator": "smtprelayhost.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "5c73a72a027c1b7031f26b36", "name": "Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets", "description": "Word document found in the wild that is likely associated with the SNAKEMACKEREL (APT28/Sofacy/Fancy Bear) threat group. iDefense assesses with moderate confidence that the actors may be targeting attendees and sponsors of the upcoming\nUnderwater Defence & Security 2019 event occurring March 5-7, 2019, in Southampton, United\nKingdom. This event draws attendees from government, military and private sector entities across the globe, allowing this global event to represent a unique opportunity for SNAKEMACKEREL actors to conduct targeted intrusion operations against a wide array of organizations falling under its collection requirements.", "modified": "2020-11-13T00:00:32.402000", "created": "2019-02-25T08:28:26.206000", "tags": [ "sofacy", "russia", "gru", "apt28", "fancy bear" ], "references": [ "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", "https://twitter.com/kyleehmke/status/1171111104149368836" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 194, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-SHA256": 5, "hostname": 24, "FileHash-MD5": 2, "FileHash-SHA1": 1, "domain": 149, "email": 20 }, "indicator_count": 203, "is_author": false, "is_subscribing": null, "subscriber_count": 386524, "modified_text": "2024 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "59fbac2195f36306631c030b", "name": "Fancy Bear Pens the Worst Blog Posts Ever", "description": "Our friends over at Bellingcat, which conducts open source investigations and writes extensively on Russia-related issues, recently shared a new tranche of spear-phishing emails they had received. Spoiler alert: they originated from Fancy Bear actors. Using the ThreatConnect platform we ingested the spear-phishing emails Bellingcat provided, processed out the relevant indicators, and compared them to previously known Fancy Bear activity. It turns out that this campaign had an association to 2016 Fancy Bear activity previously identified by the German Federal Office for the Protection of the Constitution (BfV). More interestingly however, Fancy Bear employed a new tactic we hadn't previously seen: using Blogspot-hosted URLs in their spear-phishing email messages. The Blogspot page contained a javascript window location that redirected the visitor to a second URL hosted on a dedicated server.", "modified": "2017-11-02T23:37:04.983000", "created": "2017-11-02T23:37:04.983000", "tags": [], "references": [ "https://www.threatconnect.com/blog/fancy-bear-leverages-blogspot/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 89, "URL": 1, "hostname": 2 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 386542, "modified_text": "3130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c25bb6d1148208315f2b37", "name": "NewDom-4-20220704", "description": "ICANN-Dom", "modified": "2022-08-18T00:04:11.786000", "created": "2022-07-04T03:17:10.889000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 201, "modified_text": "1381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://www.threatconnect.com/blog/fancy-bear-leverages-blogspot/", "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", "https://twitter.com/kyleehmke/status/1171111104149368836" ], "related": { "alienvault": { "adversary": [ "Sofacy" ], "malware_families": [], "industries": [ "Government", "Military" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "5c73a72a027c1b7031f26b36", "name": "Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets", "description": "Word document found in the wild that is likely associated with the SNAKEMACKEREL (APT28/Sofacy/Fancy Bear) threat group. iDefense assesses with moderate confidence that the actors may be targeting attendees and sponsors of the upcoming\nUnderwater Defence & Security 2019 event occurring March 5-7, 2019, in Southampton, United\nKingdom. This event draws attendees from government, military and private sector entities across the globe, allowing this global event to represent a unique opportunity for SNAKEMACKEREL actors to conduct targeted intrusion operations against a wide array of organizations falling under its collection requirements.", "modified": "2020-11-13T00:00:32.402000", "created": "2019-02-25T08:28:26.206000", "tags": [ "sofacy", "russia", "gru", "apt28", "fancy bear" ], "references": [ "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", "https://twitter.com/kyleehmke/status/1171111104149368836" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 194, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-SHA256": 5, "hostname": 24, "FileHash-MD5": 2, "FileHash-SHA1": 1, "domain": 149, "email": 20 }, "indicator_count": 203, "is_author": false, "is_subscribing": null, "subscriber_count": 386524, "modified_text": "2024 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "59fbac2195f36306631c030b", "name": "Fancy Bear Pens the Worst Blog Posts Ever", "description": "Our friends over at Bellingcat, which conducts open source investigations and writes extensively on Russia-related issues, recently shared a new tranche of spear-phishing emails they had received. Spoiler alert: they originated from Fancy Bear actors. Using the ThreatConnect platform we ingested the spear-phishing emails Bellingcat provided, processed out the relevant indicators, and compared them to previously known Fancy Bear activity. It turns out that this campaign had an association to 2016 Fancy Bear activity previously identified by the German Federal Office for the Protection of the Constitution (BfV). More interestingly however, Fancy Bear employed a new tactic we hadn't previously seen: using Blogspot-hosted URLs in their spear-phishing email messages. The Blogspot page contained a javascript window location that redirected the visitor to a second URL hosted on a dedicated server.", "modified": "2017-11-02T23:37:04.983000", "created": "2017-11-02T23:37:04.983000", "tags": [], "references": [ "https://www.threatconnect.com/blog/fancy-bear-leverages-blogspot/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 89, "URL": 1, "hostname": 2 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 386542, "modified_text": "3130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c25bb6d1148208315f2b37", "name": "NewDom-4-20220704", "description": "ICANN-Dom", "modified": "2022-08-18T00:04:11.786000", "created": "2022-07-04T03:17:10.889000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 201, "modified_text": "1381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "smtprelayhost.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "smtprelayhost.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180430.6260428 }