{ "type": "Domain", "indicator": "solpru.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/solpru.com", "alexa": "http://www.alexa.com/siteinfo/solpru.com", "indicator": "solpru.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4273085254, "indicator": "solpru.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69bbd761dff7b64814123d3f", "name": "From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect", "description": "A newly discovered loader called SILENTCONNECT is being used in active campaigns to silently install ScreenConnect, a remote monitoring and management tool, on victim machines. The infection chain begins with users being redirected to a Cloudflare Turnstile CAPTCHA page disguised as a digital invitation. Upon clicking, a VBScript file is downloaded, which retrieves and executes C# source code in memory using PowerShell. SILENTCONNECT employs various evasion techniques, including PEB masquerading and UAC bypass. The campaigns leverage trusted hosting providers like Google Drive and Cloudflare, and abuse living-off-the-land binaries. The loader has been active since March 2025 and poses a significant threat due to its stealthy nature and effectiveness.", "modified": "2026-04-18T11:12:42.071000", "created": "2026-03-19T11:00:49.933000", "tags": [ "silentconnect", "phishing", "rmm", "loader", "uac bypass", "evasion", "screenconnect", "peb masquerading" ], "references": [ "https://www.elastic.co/security-labs/silentconnect-delivers-screenconnect" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SILENTCONNECT", "display_name": "SILENTCONNECT", "target": null }, { "id": "ScreenConnect", "display_name": "ScreenConnect", "target": null } ], "attack_ids": [ { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "URL": 3, "FileHash-SHA1": 1, "domain": 4 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 386547, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bd45393fac7e92bd363cad", "name": "From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect \u2014 Elastic Security Labs", "description": "", "modified": "2026-04-19T13:08:28.514000", "created": "2026-03-20T13:01:45.600000", "tags": [ "silentconnect", "google drive", "cloudflare", "vbscript file", "below", "uac bypass", "security labs", "captcha page", "powershell", "screenconnect", "defender", "virustotal", "agent", "tools" ], "references": [ "https://www.elastic.co/security-labs/silentconnect-delivers-screenconnect" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "URL": 3, "YARA": 1, "domain": 3, "email": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.pdf", "https://www.elastic.co/security-labs/silentconnect-delivers-screenconnect" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Screenconnect", "Silentconnect" ], "industries": [] }, "other": { "adversary": [ "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69bbd761dff7b64814123d3f", "name": "From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect", "description": "A newly discovered loader called SILENTCONNECT is being used in active campaigns to silently install ScreenConnect, a remote monitoring and management tool, on victim machines. The infection chain begins with users being redirected to a Cloudflare Turnstile CAPTCHA page disguised as a digital invitation. Upon clicking, a VBScript file is downloaded, which retrieves and executes C# source code in memory using PowerShell. SILENTCONNECT employs various evasion techniques, including PEB masquerading and UAC bypass. The campaigns leverage trusted hosting providers like Google Drive and Cloudflare, and abuse living-off-the-land binaries. The loader has been active since March 2025 and poses a significant threat due to its stealthy nature and effectiveness.", "modified": "2026-04-18T11:12:42.071000", "created": "2026-03-19T11:00:49.933000", "tags": [ "silentconnect", "phishing", "rmm", "loader", "uac bypass", "evasion", "screenconnect", "peb masquerading" ], "references": [ "https://www.elastic.co/security-labs/silentconnect-delivers-screenconnect" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SILENTCONNECT", "display_name": "SILENTCONNECT", "target": null }, { "id": "ScreenConnect", "display_name": "ScreenConnect", "target": null } ], "attack_ids": [ { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "URL": 3, "FileHash-SHA1": 1, "domain": 4 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 386547, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bd45393fac7e92bd363cad", "name": "From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect \u2014 Elastic Security Labs", "description": "", "modified": "2026-04-19T13:08:28.514000", "created": "2026-03-20T13:01:45.600000", "tags": [ "silentconnect", "google drive", "cloudflare", "vbscript file", "below", "uac bypass", "security labs", "captcha page", "powershell", "screenconnect", "defender", "virustotal", "agent", "tools" ], "references": [ "https://www.elastic.co/security-labs/silentconnect-delivers-screenconnect" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "URL": 3, "YARA": 1, "domain": 3, "email": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "solpru.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "solpru.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780245760.7505708 }