{ "type": "Domain", "indicator": "snakeers.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/snakeers.com", "alexa": "http://www.alexa.com/siteinfo/snakeers.com", "indicator": "snakeers.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4041513306, "indicator": "snakeers.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69174066daebfd51f481ea81", "name": "Unmasking Vo1d: Inside Darktraces Botnet Detection", "description": "Vo1d is a significant piece of malware that emerged in the wild in September 2024, evolving into one of the most prevalent Android botnets known, particularly targeting smart TVs and low-cost Android TV devices. Initially recognized as a backdoor, Vo1d's capabilities have expanded to enable the installation of additional malicious software, the operation of proxy services, and the execution of ad fraud schemes. By early 2025, projections indicated that Vo1d had compromised between 1.3 to 1.6 million devices globally.\n\nRecent activity from Darktrace revealed a marked increase in Vo1d-related incidents, predominantly affecting customers in South Africa. Many of the compromised devices displayed abnormal network behavior, such as excessive DNS queries, which is indicative of malware activity.", "modified": "2025-11-14T14:44:54.887000", "created": "2025-11-14T14:44:54.887000", "tags": [ "vo1d c2", "hostname", "compromise", "possible", "dga endpoint", "command", "control", "likely", "connection", "iocs" ], "references": [ "https://www.darktrace.com/blog/unmasking-vo1d-inside-darktraces-botnet-detection" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "200 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c58af18e57e8aa6e5eecb7", "name": "Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "On February 24, 2025, NBC News reported: \"Unauthorized AI-generated footage suddenly played on televisions at the U.S. Department of Housing and Urban Development (HUD) headquarters in Washington, D.C. The video showed President Donald Trump bowing to kiss Elon Musk's toes, accompanied by the bold caption LONG LIVE THE REAL KING. Staff were unable to shut it down and had to unplug all TVs.\" The incident quickly sparked widespread public debate and caught the attention of the cybersecurity community, prompting a reevaluation of the significant risks posed by hacked devices like televisions and set-top boxes.", "modified": "2025-04-02T10:03:00.822000", "created": "2025-03-03T10:56:49.370000", "tags": [ "dga", "botnet", "android", "backdoor", "en", "vo1d", "vo1d botnet", "january", "february", "china", "below", "redirector c2", "bigpanzi", "dga algorithm", "codomain system", "downloader", "impact", "twitter", "fraud", "drop", "python", "dexloader", "test", "leave", "virustotal" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/#ioc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 15, "domain": 31, "hostname": 15 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "426 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c18be84642fbcfd094c2ce", "name": "Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "A new variant of the Vo1d botnet is taking control of 1.6 million Android TV devices worldwide, according to a new report by cybersecurity researchers XLab and its artificial intelligence unit.", "modified": "2025-03-30T10:00:20.183000", "created": "2025-02-28T10:11:52.868000", "tags": [ "dga", "en", "android", "backdoor", "botnet", "vo1d", "vo1d botnet", "january", "february", "china", "below", "redirector c2", "dga algorithm", "codomain system", "xxtea key", "downloader", "impact", "twitter", "fraud", "drop", "python", "dexloader", "test", "leave", "virustotal", "bigpanzi", "mirai", "dex" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "United States of America", "China" ], "malware_families": [ { "id": "Bigpanzi", "display_name": "Bigpanzi", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "DEX", "display_name": "DEX", "target": null }, { "id": "Vo1d", "display_name": "Vo1d", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 1, "URL": 15, "domain": 31, "hostname": 15 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Nov.Week2.csv", "https://www.darktrace.com/blog/unmasking-vo1d-inside-darktraces-botnet-detection", "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/#ioc", "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428" ], "malware_families": [ "Mirai", "Vo1d", "Dex", "Bigpanzi" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69174066daebfd51f481ea81", "name": "Unmasking Vo1d: Inside Darktraces Botnet Detection", "description": "Vo1d is a significant piece of malware that emerged in the wild in September 2024, evolving into one of the most prevalent Android botnets known, particularly targeting smart TVs and low-cost Android TV devices. Initially recognized as a backdoor, Vo1d's capabilities have expanded to enable the installation of additional malicious software, the operation of proxy services, and the execution of ad fraud schemes. By early 2025, projections indicated that Vo1d had compromised between 1.3 to 1.6 million devices globally.\n\nRecent activity from Darktrace revealed a marked increase in Vo1d-related incidents, predominantly affecting customers in South Africa. Many of the compromised devices displayed abnormal network behavior, such as excessive DNS queries, which is indicative of malware activity.", "modified": "2025-11-14T14:44:54.887000", "created": "2025-11-14T14:44:54.887000", "tags": [ "vo1d c2", "hostname", "compromise", "possible", "dga endpoint", "command", "control", "likely", "connection", "iocs" ], "references": [ "https://www.darktrace.com/blog/unmasking-vo1d-inside-darktraces-botnet-detection" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "200 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c58af18e57e8aa6e5eecb7", "name": "Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "On February 24, 2025, NBC News reported: \"Unauthorized AI-generated footage suddenly played on televisions at the U.S. Department of Housing and Urban Development (HUD) headquarters in Washington, D.C. The video showed President Donald Trump bowing to kiss Elon Musk's toes, accompanied by the bold caption LONG LIVE THE REAL KING. Staff were unable to shut it down and had to unplug all TVs.\" The incident quickly sparked widespread public debate and caught the attention of the cybersecurity community, prompting a reevaluation of the significant risks posed by hacked devices like televisions and set-top boxes.", "modified": "2025-04-02T10:03:00.822000", "created": "2025-03-03T10:56:49.370000", "tags": [ "dga", "botnet", "android", "backdoor", "en", "vo1d", "vo1d botnet", "january", "february", "china", "below", "redirector c2", "bigpanzi", "dga algorithm", "codomain system", "downloader", "impact", "twitter", "fraud", "drop", "python", "dexloader", "test", "leave", "virustotal" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/#ioc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 15, "domain": 31, "hostname": 15 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "426 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c18be84642fbcfd094c2ce", "name": "Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "A new variant of the Vo1d botnet is taking control of 1.6 million Android TV devices worldwide, according to a new report by cybersecurity researchers XLab and its artificial intelligence unit.", "modified": "2025-03-30T10:00:20.183000", "created": "2025-02-28T10:11:52.868000", "tags": [ "dga", "en", "android", "backdoor", "botnet", "vo1d", "vo1d botnet", "january", "february", "china", "below", "redirector c2", "dga algorithm", "codomain system", "xxtea key", "downloader", "impact", "twitter", "fraud", "drop", "python", "dexloader", "test", "leave", "virustotal", "bigpanzi", "mirai", "dex" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "United States of America", "China" ], "malware_families": [ { "id": "Bigpanzi", "display_name": "Bigpanzi", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "DEX", "display_name": "DEX", "target": null }, { "id": "Vo1d", "display_name": "Vo1d", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 1, "URL": 15, "domain": 31, "hostname": 15 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "snakeers.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "snakeers.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780447548.5485845 }