{ "type": "Domain", "indicator": "softglide.co", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/softglide.co", "alexa": "http://www.alexa.com/siteinfo/softglide.co", "indicator": "softglide.co", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4060973051, "indicator": "softglide.co", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44164, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 386477, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680a7c9533e918e31ba0c246", "name": "Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations", "description": "North Korean cybercrime activities heavily rely on Russian IP ranges in Khasan and Khabarovsk, utilizing extensive anonymization networks. The Void Dokkaebi group, linked to North Korea, employs fictitious companies like BlockNovas to target IT professionals through fraudulent job interviews, aiming to steal cryptocurrency and potentially engage in espionage. Their tactics involve using VPNs, proxies, and RDP connections to obscure their origins. Instruction videos suggest the involvement of less-skilled foreign conspirators. The primary focus remains cryptocurrency theft, but there's potential for expanded espionage activities and possible cooperation between North Korean and Russian entities.", "modified": "2025-05-24T17:02:00.860000", "created": "2025-04-24T18:01:56.761000", "tags": [ "cryptocurrency", "BlockNovas", "frostyferret", "beavertail", "social engineering", "invisible ferret", "anonymization networks" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt", "https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html" ], "public": 1, "adversary": "WageMole", "targeted_countries": [ "Ukraine", "Germany", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Energy", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386479, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ff2cfa6a2c08cb85336a", "name": "EbeeJuly2025 Pt2", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T10:02:20.542000", "created": "2025-07-30T11:17:00.302000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "FileHash-MD5": 177, "FileHash-SHA1": 132, "FileHash-SHA256": 216, "domain": 136, "email": 1, "hostname": 101 }, "indicator_count": 828, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680f8b67bf0ff91b859af6a2", "name": "Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations", "description": "Beavertail malware is being used to target North Korean IT workers abroad, according to a report from the International Institute for Strategic Studies (IISS) and the US Department of Defense.", "modified": "2025-05-28T14:00:57.774000", "created": "2025-04-28T14:06:31.343000", "tags": [ "dprk", "ru ip", "call", "ip address", "dprk it", "website", "description", "compromise", "crucial role", "address" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "367 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680e1c6841197adf26561f3f", "name": "Threat Actors Spread Malware via Fake Crypto Firms and Job Interview Lures", "description": "", "modified": "2025-05-27T11:03:13.002000", "created": "2025-04-27T12:00:40.163000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 5 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "368 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680af4eb4ec201ffd393ccd3", "name": "IOC&TTP - Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations", "description": "\u672c\u7814\u7a76\u63ed\u793a\u4e86\u4e0e\u671d\u9c9c\u7f51\u7edc\u72af\u7f6a\u6d3b\u52a8\uff08\u5f52\u5c5e Void Dokkaebi\uff0fFamous Chollima\uff09\u6709\u5173\u7684\u4e00\u7ec4\u4fc4\u7f57\u65af IP \u5730\u5740\u6bb5\u4e0e\u57fa\u7840\u8bbe\u65bd\u3002\u8be5\u57fa\u7840\u8bbe\u65bd\u9690\u85cf\u5728\u5546\u4e1a VPN\u3001\u4ee3\u7406\u4e0e\u5927\u6279 VPS/RDP \u670d\u52a1\u5668\u7ec4\u6210\u7684\u591a\u5c42\u533f\u540d\u7f51\u7edc\u4e4b\u540e\uff0c\u5206\u914d\u7ed9\u4f4d\u4e8e\u4fc4\u7f57\u65af\u54c8\u6851\uff08\u8ddd\u671d\u9c9c\u8fb9\u5883 1 \u82f1\u91cc\uff09\u4e0e\u54c8\u5df4\u7f57\u592b\u65af\u514b\u7684\u4e24\u5bb6\u516c\u53f8\u3002", "modified": "2025-05-24T17:02:00.860000", "created": "2025-04-25T02:35:23.642000", "tags": [ "cryptocurrency", "BlockNovas", "frostyferret", "beavertail", "social engineering", "invisible ferret", "anonymization networks" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt", "https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html" ], "public": 1, "adversary": "Void Dokkaebi", "targeted_countries": [ "Ukraine", "Germany", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Energy", "Finance" ], "TLP": "white", "cloned_from": "680a7c9533e918e31ba0c246", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680dbcd438e261c29a491e45", "name": "https://games.app.goo.gl/bSyogvMZN7CggQAb8", "description": "", "modified": "2025-05-24T17:02:00.860000", "created": "2025-04-27T05:12:52.155000", "tags": [ "cryptocurrency", "BlockNovas", "frostyferret", "beavertail", "social engineering", "invisible ferret", "anonymization networks" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt", "https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html" ], "public": 1, "adversary": "Void Dokkaebi", "targeted_countries": [ "Ukraine", "Germany", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Energy", "Finance" ], "TLP": "white", "cloned_from": "680a7c9533e918e31ba0c246", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Themba1204", "id": "216437", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681061b97e7389ebed7e85e6", "name": "Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations", "description": "", "modified": "2025-05-24T17:02:00.860000", "created": "2025-04-29T05:20:57.394000", "tags": [ "cryptocurrency", "BlockNovas", "frostyferret", "beavertail", "social engineering", "invisible ferret", "anonymization networks" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt", "https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html" ], "public": 1, "adversary": "Void Dokkaebi", "targeted_countries": [ "Ukraine", "Germany", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Energy", "Finance" ], "TLP": "white", "cloned_from": "680a7c9533e918e31ba0c246", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops", "https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html", "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt" ], "related": { "alienvault": { "adversary": [ "Contagious Interview", "WageMole" ], "malware_families": [], "industries": [ "Finance", "Technology", "Energy" ] }, "other": { "adversary": [ "Void Dokkaebi" ], "malware_families": [], "industries": [ "Finance", "Technology", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44164, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 386477, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680a7c9533e918e31ba0c246", "name": "Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations", "description": "North Korean cybercrime activities heavily rely on Russian IP ranges in Khasan and Khabarovsk, utilizing extensive anonymization networks. The Void Dokkaebi group, linked to North Korea, employs fictitious companies like BlockNovas to target IT professionals through fraudulent job interviews, aiming to steal cryptocurrency and potentially engage in espionage. Their tactics involve using VPNs, proxies, and RDP connections to obscure their origins. Instruction videos suggest the involvement of less-skilled foreign conspirators. The primary focus remains cryptocurrency theft, but there's potential for expanded espionage activities and possible cooperation between North Korean and Russian entities.", "modified": "2025-05-24T17:02:00.860000", "created": "2025-04-24T18:01:56.761000", "tags": [ "cryptocurrency", "BlockNovas", "frostyferret", "beavertail", "social engineering", "invisible ferret", "anonymization networks" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt", "https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html" ], "public": 1, "adversary": "WageMole", "targeted_countries": [ "Ukraine", "Germany", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Energy", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386479, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ff2cfa6a2c08cb85336a", "name": "EbeeJuly2025 Pt2", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T10:02:20.542000", "created": "2025-07-30T11:17:00.302000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "FileHash-MD5": 177, "FileHash-SHA1": 132, "FileHash-SHA256": 216, "domain": 136, "email": 1, "hostname": 101 }, "indicator_count": 828, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680f8b67bf0ff91b859af6a2", "name": "Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations", "description": "Beavertail malware is being used to target North Korean IT workers abroad, according to a report from the International Institute for Strategic Studies (IISS) and the US Department of Defense.", "modified": "2025-05-28T14:00:57.774000", "created": "2025-04-28T14:06:31.343000", "tags": [ "dprk", "ru ip", "call", "ip address", "dprk it", "website", "description", "compromise", "crucial role", "address" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "367 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680e1c6841197adf26561f3f", "name": "Threat Actors Spread Malware via Fake Crypto Firms and Job Interview Lures", "description": "", "modified": "2025-05-27T11:03:13.002000", "created": "2025-04-27T12:00:40.163000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 5 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "368 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680af4eb4ec201ffd393ccd3", "name": "IOC&TTP - Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations", "description": "\u672c\u7814\u7a76\u63ed\u793a\u4e86\u4e0e\u671d\u9c9c\u7f51\u7edc\u72af\u7f6a\u6d3b\u52a8\uff08\u5f52\u5c5e Void Dokkaebi\uff0fFamous Chollima\uff09\u6709\u5173\u7684\u4e00\u7ec4\u4fc4\u7f57\u65af IP \u5730\u5740\u6bb5\u4e0e\u57fa\u7840\u8bbe\u65bd\u3002\u8be5\u57fa\u7840\u8bbe\u65bd\u9690\u85cf\u5728\u5546\u4e1a VPN\u3001\u4ee3\u7406\u4e0e\u5927\u6279 VPS/RDP \u670d\u52a1\u5668\u7ec4\u6210\u7684\u591a\u5c42\u533f\u540d\u7f51\u7edc\u4e4b\u540e\uff0c\u5206\u914d\u7ed9\u4f4d\u4e8e\u4fc4\u7f57\u65af\u54c8\u6851\uff08\u8ddd\u671d\u9c9c\u8fb9\u5883 1 \u82f1\u91cc\uff09\u4e0e\u54c8\u5df4\u7f57\u592b\u65af\u514b\u7684\u4e24\u5bb6\u516c\u53f8\u3002", "modified": "2025-05-24T17:02:00.860000", "created": "2025-04-25T02:35:23.642000", "tags": [ "cryptocurrency", "BlockNovas", "frostyferret", "beavertail", "social engineering", "invisible ferret", "anonymization networks" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt", "https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html" ], "public": 1, "adversary": "Void Dokkaebi", "targeted_countries": [ "Ukraine", "Germany", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Energy", "Finance" ], "TLP": "white", "cloned_from": "680a7c9533e918e31ba0c246", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680dbcd438e261c29a491e45", "name": "https://games.app.goo.gl/bSyogvMZN7CggQAb8", "description": "", "modified": "2025-05-24T17:02:00.860000", "created": "2025-04-27T05:12:52.155000", "tags": [ "cryptocurrency", "BlockNovas", "frostyferret", "beavertail", "social engineering", "invisible ferret", "anonymization networks" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt", "https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html" ], "public": 1, "adversary": "Void Dokkaebi", "targeted_countries": [ "Ukraine", "Germany", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Energy", "Finance" ], "TLP": "white", "cloned_from": "680a7c9533e918e31ba0c246", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Themba1204", "id": "216437", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681061b97e7389ebed7e85e6", "name": "Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations", "description": "", "modified": "2025-05-24T17:02:00.860000", "created": "2025-04-29T05:20:57.394000", "tags": [ "cryptocurrency", "BlockNovas", "frostyferret", "beavertail", "social engineering", "invisible ferret", "anonymization networks" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOCs_VoidDokkaebi_2t9ScKI5.txt", "https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html" ], "public": 1, "adversary": "Void Dokkaebi", "targeted_countries": [ "Ukraine", "Germany", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Energy", "Finance" ], "TLP": "white", "cloned_from": "680a7c9533e918e31ba0c246", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "softglide.co", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "softglide.co", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200920.170642 }