{ "type": "Domain", "indicator": "solidclouaps.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/solidclouaps.com", "alexa": "http://www.alexa.com/siteinfo/solidclouaps.com", "indicator": "solidclouaps.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4212519277, "indicator": "solidclouaps.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69ce72d31ea34ba5bf56dd3f", "name": "Payload_Delivery | Apr 3, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Apr 3, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-02T13:44:51.831000", "created": "2026-04-02T13:44:51.831000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 198, "domain": 47, "URL": 21, "FileHash-SHA256": 8 }, "indicator_count": 274, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd212598ebef88023df849", "name": "Payload_Delivery | Apr 2, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Apr 2, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-01T13:44:05.531000", "created": "2026-04-01T13:44:05.531000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 300, "domain": 31, "FileHash-SHA256": 10, "URL": 32 }, "indicator_count": 373, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cbcfe9fe9acca9435fbe67", "name": "Payload_Delivery | Apr 1, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Apr 1, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-31T13:45:12.898000", "created": "2026-03-31T13:45:12.898000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1423, "URL": 322, "domain": 182, "FileHash-MD5": 8, "FileHash-SHA256": 44 }, "indicator_count": 1979, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca84aed1e255f5db00175a", "name": "Payload_Delivery | Mar 31, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 31, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-30T14:11:58.362000", "created": "2026-03-30T14:11:58.362000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1480, "URL": 282, "domain": 173, "FileHash-SHA256": 39, "FileHash-MD5": 4 }, "indicator_count": 1978, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca0d4831434d5a7e8022e2", "name": "Payload_Delivery | Mar 30, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 30, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-30T05:42:32.279000", "created": "2026-03-30T05:42:32.279000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1474, "URL": 280, "FileHash-SHA256": 39, "domain": 169, "FileHash-MD5": 10 }, "indicator_count": 1972, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c93221a2eeac76d933f90f", "name": "Payload_Delivery | Mar 30, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 30, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-29T14:07:29.211000", "created": "2026-03-29T14:07:29.211000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1429, "URL": 293, "domain": 199, "FileHash-SHA256": 40, "FileHash-MD5": 10 }, "indicator_count": 1971, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c6921562120e46f26dcfa5", "name": "Payload_Delivery | Mar 28, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 28, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-27T14:20:05.461000", "created": "2026-03-27T14:20:05.461000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1488, "URL": 295, "domain": 173, "FileHash-SHA256": 22, "FileHash-MD5": 6 }, "indicator_count": 1984, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699587d1238b5eafc1f1b450", "name": "ClickFix Resurgence in 2026: Matanbuchus 3.0 and AstarionRAT Drive Advanced Multi-Stage Intrusion Campaign", "description": "In February 2026, a targeted intrusion by the Huntress Tactical Response team highlighted a resurgence of the ClickFix infection method, which exploits social engineering tactics to manipulate users into executing malicious commands. This technique had become a primary vector for initial access, favored by both cybercriminals and nation-state actors throughout 2025. The ClickFix method bypasses conventional security protocols by turning users into unwitting spreaders of malware.\n\nA notable combination unveiled during the incident was that of ClickFix and Matanbuchus 3.0, the latter of which re-emerged after a brief pause in May 2025. Matanbuchus is introduced through ClickFix's prompts and uses silent MSI installations as part of its intricate execution chain.", "modified": "2026-03-20T09:37:45.201000", "created": "2026-02-18T09:35:13.374000", "tags": [ "matanbuchus", "astarionrat", "appdata", "psexec", "pe loader", "windows server", "dll sideloading", "c2 url", "lua script", "accepteula s", "february", "defender", "info", "cobalt strike", "qakbot", "danabot", "https", "rhadamanthys", "netsupport", "qilin", "nexus threat", "huntress" ], "references": [ "https://www.huntress.com/blog/clickfix-matanbuchus-astarionrat-analysis" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null } ], "attack_ids": [ { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 2, "domain": 4, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6994aee0c1d3ced102489f4c", "name": "ACTIVIDAD MALICIOSA | relacionada con ClickFix 17022025", "description": "ClickFixRAT es una sofisticada campa\u00f1a de intrusi\u00f3n que combina una trampa de ingenier\u00eda social conocida como \"ClickFix\" con un cargador de malware premium (Matanbuchus 3.0) para desplegar un nuevo y poderoso troyano de acceso remoto (RAT) llamado AstarionRAT. La cadena de ataque es inusualmente compleja, comenzando con un usuario enga\u00f1ado para copiar y pegar un comando que inicia una instalaci\u00f3n MSI silenciosa. A trav\u00e9s de una secuencia de m\u00faltiples capas que incluyen carga lateral de DLL (Zillya Antivirus y Java), descifrado de shellcode, un int\u00e9rprete Lua integrado y un cargador PE reflexivo personalizado, se implanta AstarionRAT en la memoria.", "modified": "2026-02-17T18:09:36.532000", "created": "2026-02-17T18:09:36.532000", "tags": [ "captcha", "guardio", "google scripts", "linux", "source", "new booking", "clickfix fake", "show enhanced", "targeting macos", "linux published", "august", "clearfake", "lumma stealer", "evolution", "powershell", "impact", "lumma", "lostkeys", "kongtuke filefix", "clickfix", "booking", "appdata", "urls", "rutas", "archivos", "docuray", "helixshield", "localappdata", "hashes", "sha256", "info", "matanbuchus", "tcticas ta0001", "initial access", "ta0005 defense", "ta0008 lateral", "movement", "ta0011 command", "control", "tcnicas t1204", "user execution", "files" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=ClickFixRAT", "https://www.huntress.com/", "https://www.technadu.com/", "https://www.virustotal.com/graph/embed/g120ea0e1059d40aab1888edb2c84ec2ef515dea5a3944d7fa9c6ec5a810c4601?theme=light" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "KongTuke FileFix", "display_name": "KongTuke FileFix", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Booking", "display_name": "Booking", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 8, "URL": 3, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "61 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/g120ea0e1059d40aab1888edb2c84ec2ef515dea5a3944d7fa9c6ec5a810c4601?theme=light", "https://ltna.com.au/cyber", "https://darfe.es/ciberwiki/index.php?title=ClickFixRAT", "https://www.technadu.com/", "https://www.huntress.com/", "https://www.huntress.com/blog/clickfix-matanbuchus-astarionrat-analysis" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Booking", "Qilin", "Rhadamanthys", "Kongtuke filefix", "Lostkeys", "Clickfix", "Lumma", "Matanbuchus" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69ce72d31ea34ba5bf56dd3f", "name": "Payload_Delivery | Apr 3, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Apr 3, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-02T13:44:51.831000", "created": "2026-04-02T13:44:51.831000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 198, "domain": 47, "URL": 21, "FileHash-SHA256": 8 }, "indicator_count": 274, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd212598ebef88023df849", "name": "Payload_Delivery | Apr 2, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Apr 2, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-01T13:44:05.531000", "created": "2026-04-01T13:44:05.531000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 300, "domain": 31, "FileHash-SHA256": 10, "URL": 32 }, "indicator_count": 373, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cbcfe9fe9acca9435fbe67", "name": "Payload_Delivery | Apr 1, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Apr 1, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-31T13:45:12.898000", "created": "2026-03-31T13:45:12.898000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1423, "URL": 322, "domain": 182, "FileHash-MD5": 8, "FileHash-SHA256": 44 }, "indicator_count": 1979, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca84aed1e255f5db00175a", "name": "Payload_Delivery | Mar 31, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 31, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-30T14:11:58.362000", "created": "2026-03-30T14:11:58.362000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1480, "URL": 282, "domain": 173, "FileHash-SHA256": 39, "FileHash-MD5": 4 }, "indicator_count": 1978, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca0d4831434d5a7e8022e2", "name": "Payload_Delivery | Mar 30, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 30, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-30T05:42:32.279000", "created": "2026-03-30T05:42:32.279000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1474, "URL": 280, "FileHash-SHA256": 39, "domain": 169, "FileHash-MD5": 10 }, "indicator_count": 1972, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c93221a2eeac76d933f90f", "name": "Payload_Delivery | Mar 30, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 30, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-29T14:07:29.211000", "created": "2026-03-29T14:07:29.211000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1429, "URL": 293, "domain": 199, "FileHash-SHA256": 40, "FileHash-MD5": 10 }, "indicator_count": 1971, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c6921562120e46f26dcfa5", "name": "Payload_Delivery | Mar 28, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 28, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-27T14:20:05.461000", "created": "2026-03-27T14:20:05.461000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1488, "URL": 295, "domain": 173, "FileHash-SHA256": 22, "FileHash-MD5": 6 }, "indicator_count": 1984, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699587d1238b5eafc1f1b450", "name": "ClickFix Resurgence in 2026: Matanbuchus 3.0 and AstarionRAT Drive Advanced Multi-Stage Intrusion Campaign", "description": "In February 2026, a targeted intrusion by the Huntress Tactical Response team highlighted a resurgence of the ClickFix infection method, which exploits social engineering tactics to manipulate users into executing malicious commands. This technique had become a primary vector for initial access, favored by both cybercriminals and nation-state actors throughout 2025. The ClickFix method bypasses conventional security protocols by turning users into unwitting spreaders of malware.\n\nA notable combination unveiled during the incident was that of ClickFix and Matanbuchus 3.0, the latter of which re-emerged after a brief pause in May 2025. Matanbuchus is introduced through ClickFix's prompts and uses silent MSI installations as part of its intricate execution chain.", "modified": "2026-03-20T09:37:45.201000", "created": "2026-02-18T09:35:13.374000", "tags": [ "matanbuchus", "astarionrat", "appdata", "psexec", "pe loader", "windows server", "dll sideloading", "c2 url", "lua script", "accepteula s", "february", "defender", "info", "cobalt strike", "qakbot", "danabot", "https", "rhadamanthys", "netsupport", "qilin", "nexus threat", "huntress" ], "references": [ "https://www.huntress.com/blog/clickfix-matanbuchus-astarionrat-analysis" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null } ], "attack_ids": [ { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 2, "domain": 4, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6994aee0c1d3ced102489f4c", "name": "ACTIVIDAD MALICIOSA | relacionada con ClickFix 17022025", "description": "ClickFixRAT es una sofisticada campa\u00f1a de intrusi\u00f3n que combina una trampa de ingenier\u00eda social conocida como \"ClickFix\" con un cargador de malware premium (Matanbuchus 3.0) para desplegar un nuevo y poderoso troyano de acceso remoto (RAT) llamado AstarionRAT. La cadena de ataque es inusualmente compleja, comenzando con un usuario enga\u00f1ado para copiar y pegar un comando que inicia una instalaci\u00f3n MSI silenciosa. A trav\u00e9s de una secuencia de m\u00faltiples capas que incluyen carga lateral de DLL (Zillya Antivirus y Java), descifrado de shellcode, un int\u00e9rprete Lua integrado y un cargador PE reflexivo personalizado, se implanta AstarionRAT en la memoria.", "modified": "2026-02-17T18:09:36.532000", "created": "2026-02-17T18:09:36.532000", "tags": [ "captcha", "guardio", "google scripts", "linux", "source", "new booking", "clickfix fake", "show enhanced", "targeting macos", "linux published", "august", "clearfake", "lumma stealer", "evolution", "powershell", "impact", "lumma", "lostkeys", "kongtuke filefix", "clickfix", "booking", "appdata", "urls", "rutas", "archivos", "docuray", "helixshield", "localappdata", "hashes", "sha256", "info", "matanbuchus", "tcticas ta0001", "initial access", "ta0005 defense", "ta0008 lateral", "movement", "ta0011 command", "control", "tcnicas t1204", "user execution", "files" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=ClickFixRAT", "https://www.huntress.com/", "https://www.technadu.com/", "https://www.virustotal.com/graph/embed/g120ea0e1059d40aab1888edb2c84ec2ef515dea5a3944d7fa9c6ec5a810c4601?theme=light" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "KongTuke FileFix", "display_name": "KongTuke FileFix", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Booking", "display_name": "Booking", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 8, "URL": 3, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "61 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "solidclouaps.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "solidclouaps.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776660876.7457168 }