{ "type": "Domain", "indicator": "solutionconect.online", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/solutionconect.online", "alexa": "http://www.alexa.com/siteinfo/solutionconect.online", "indicator": "solutionconect.online", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3412908202, "indicator": "solutionconect.online", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "6298718ccb0c8c00f0485af3", "name": "State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage", "description": "State-sponsored cyber-espionage groups around the world are using the ongoing Russia-Ukraine war as a bait for their attacks, according to research by Check Point Research and Kaspersky Technologies.", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T08:15:08.016000", "tags": [ "el machete", "lyceum", "ukraine", "sidewinder", "apt", "cve201711882", "geopolitical conflict" ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "public": 1, "adversary": "El Machete, Lyceum, SideWinder", "targeted_countries": [ "Venezuela, Bolivarian Republic of", "Israel", "Saudi Arabia", "Pakistan" ], "malware_families": [ { "id": "Loki.Rat Backdoor", "display_name": "Loki.Rat Backdoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Energy", "Government", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 3, "URL": 8, "domain": 9, "FileHash-MD5": 36, "FileHash-SHA1": 32, "FileHash-SHA256": 49, "CVE": 1, "YARA": 5 }, "indicator_count": 143, "is_author": false, "is_subscribing": null, "subscriber_count": 386496, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624c29baad734a210134b02c", "name": "State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage", "description": "Geopolitical tensions often make headlines and present a golden opportunity for threat actors to exploit the situation, especially those targeting high-profile victims. In the past month while the Russian invasion of Ukraine was unfolding, Check Point Research (CPR) has observed advanced persistent threat (APT) groups around the world launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails using the war as a lure. The attackers use decoys ranging from official-looking documents to news articles or even job postings, depending on the targets and region. Many of these lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks.", "modified": "2022-05-05T00:01:02.977000", "created": "2022-04-05T11:36:25.752000", "tags": [ "APT", "spear-phishing", "Ukraine", "geopolitical conflict" ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "public": 1, "adversary": "El Machete, SideWinder, Lyceum", "targeted_countries": [ "Ukraine", "Russian Federation" ], "malware_families": [ { "id": "Golang", "display_name": "Golang", "target": null }, { "id": "SideWinder", "display_name": "SideWinder", "target": null }, { "id": "Lyceum", "display_name": "Lyceum", "target": null }, { "id": "El Machete", "display_name": "El Machete", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Maritime", "Energy", "Government", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 269, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 35, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "CVE": 1, "URL": 4, "YARA": 5, "hostname": 1 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 386500, "modified_text": "1487 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff12aea0b9ba91d923da14", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:15:10.602000", "created": "2025-04-16T02:15:10.602000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff1245d4dc2a56e5561a57", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:13:25.801000", "created": "2025-04-16T02:13:25.801000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6773390f17d71879c414676a", "name": "El Machete", "description": "El Machete es un grupo de ciberespionaje activo desde al menos 2014, enfocado en atacar principalmente a naciones de habla hispana. Este grupo es conocido por su sofisticada malware y t\u00e1cticas de exfiltraci\u00f3n de datos, con un enfoque en objetivos de alto perfil, como agencias gubernamentales y organizaciones estrat\u00e9gicas.", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:21:35.813000", "tags": [ "cve201711882", "cve20201472", "El Machete" ], "references": [], "public": 1, "adversary": "El Machete", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 473, "FileHash-SHA1": 471, "FileHash-SHA256": 500, "CVE": 9, "domain": 60, "hostname": 18 }, "indicator_count": 1531, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67733b72d522398f5ea0a12d", "name": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar", "description": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar con Intereses en la Administraci\u00f3n P\u00fablica de la Rep\u00fablica Dominicana, Diciembre 2024", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:31:46.858000", "tags": [ "cve201711882", "cve20201472" ], "references": [], "public": 1, "adversary": "El Machete, TAG-100, Mirage, Unamed_Grooup", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2631, "FileHash-SHA1": 2168, "FileHash-SHA256": 3401, "CVE": 25, "domain": 977, "hostname": 1226 }, "indicator_count": 10428, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708f66513978034c1c91b0", "name": "Undefined Name", "description": "", "modified": "2023-12-06T15:12:38.363000", "created": "2023-12-06T15:12:38.363000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 256, "domain": 159, "FileHash-MD5": 179, "FileHash-SHA1": 168, "URL": 96, "IPv4": 85, "hostname": 21 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a240e3ecd94ddae472eb6a", "name": "test", "description": "", "modified": "2022-07-09T00:01:52.431000", "created": "2022-06-09T18:50:11.481000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "626d6d47f6da18014c30df7e", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 179, "FileHash-SHA1": 168, "FileHash-SHA256": 256, "domain": 159, "IPv4": 85, "hostname": 21, "URL": 96 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 510, "modified_text": "1422 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624ed1da7f2db82cc9493398", "name": "State-sponsored Attack Groups Launch Spear-phishing Campaigns Using Russia-Ukraine War as a Lure", "description": "At least three different APT groups from across the globe have launched spear-phishing campaigns in mid-March 2022. The attackers are using the ongoing Russo-Ukrainian war as a lure to distribute malware and steal sensitive information.\n\nVictims \nEnergy, financial, and governmental sectors in Nicaragua, Venezuela, Israel, Saudi Arabia, and Pakistan.\n\nThe decoys\nThe campaigns, undertaken by El Machete, Lyceum, and SideWinder, use decoys ranging from official-looking documents to news articles or job postings, depending on the targets and region. Many of the lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations and then launch malware attacks.", "modified": "2022-05-07T00:03:18.570000", "created": "2022-04-07T11:58:18.658000", "tags": [ "iocs lyceum", "el machete", "sidewinder apt", "Russia-Ukraine" ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 35, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "hostname": 1 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 195, "modified_text": "1485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624be75d683cfc55476c6350", "name": "State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage - Check Point Research", "description": "State-sponsored cyber-espionage groups around the world are using the ongoing Russia-Ukraine war as a bait for their operations, according to research by Check Point Research, a leading security firm.", "modified": "2022-05-05T00:01:02.977000", "created": "2022-04-05T06:53:17.579000", "tags": [ "golang", "dns", "tcp", "http", "blogspot", "adobe.msi", "el machete", "lyceum", "c server", "ukraine", "python", "apt group", "middle east", "dnsdig", "saudi arabia", "nicaragua", "c communication", "sidewinder", "dark", "kremlin", "keylogger", "agent", "virustotal", "impact", "decoy", "cve201711882", "webdl" ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "public": 1, "adversary": "El Machete", "targeted_countries": [ "China", "Iran, Islamic Republic of", "Venezuela, Bolivarian Republic of", "Nicaragua", "Pakistan", "Ukraine", "Russian Federation" ], "malware_families": [ { "id": "Golang", "display_name": "Golang", "target": null }, { "id": "DNS", "display_name": "DNS", "target": null }, { "id": "TCP", "display_name": "TCP", "target": null }, { "id": "HTTP", "display_name": "HTTP", "target": null }, { "id": "Adobe.msi", "display_name": "Adobe.msi", "target": null }, { "id": "BlogSpot", "display_name": "BlogSpot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Maritime", "Energy", "Government", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5, "URL": 8, "domain": 9, "FileHash-MD5": 35, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "CVE": 1, "YARA": 5 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 871, "modified_text": "1487 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6246de7550b019a8b4d3373b", "name": "El Machete Sidewinder Lyceum IOCs", "description": "El Machete APT: Facebook, Twitter, Instagram, Snapchat, Facebook and Twitter - here is the full list of comments made by people on the site, as well as those on Twitter.", "modified": "2022-05-01T00:02:33.075000", "created": "2022-04-01T11:13:57.858000", "tags": [ "el machete", "sidewinder apt" ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 35, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "URL": 3, "hostname": 1 }, "indicator_count": 83, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "1491 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "related": { "alienvault": { "adversary": [ "El Machete, Lyceum, SideWinder", "El Machete, SideWinder, Lyceum" ], "malware_families": [ "El machete", "Lyceum", "Loki.rat backdoor", "Golang", "Sidewinder" ], "industries": [ "Government", "Maritime", "Energy", "Financial" ] }, "other": { "adversary": [ "Informational", "El Machete", "El Machete, TAG-100, Mirage, Unamed_Grooup" ], "malware_families": [ "Blogspot", "Golang", "Tcp", "Adobe.msi", "Http", "Dns" ], "industries": [ "Government", "Maritime", "Energy", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "6298718ccb0c8c00f0485af3", "name": "State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage", "description": "State-sponsored cyber-espionage groups around the world are using the ongoing Russia-Ukraine war as a bait for their attacks, according to research by Check Point Research and Kaspersky Technologies.", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T08:15:08.016000", "tags": [ "el machete", "lyceum", "ukraine", "sidewinder", "apt", "cve201711882", "geopolitical conflict" ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "public": 1, "adversary": "El Machete, Lyceum, SideWinder", "targeted_countries": [ "Venezuela, Bolivarian Republic of", "Israel", "Saudi Arabia", "Pakistan" ], "malware_families": [ { "id": "Loki.Rat Backdoor", "display_name": "Loki.Rat Backdoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Energy", "Government", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 3, "URL": 8, "domain": 9, "FileHash-MD5": 36, "FileHash-SHA1": 32, "FileHash-SHA256": 49, "CVE": 1, "YARA": 5 }, "indicator_count": 143, "is_author": false, "is_subscribing": null, "subscriber_count": 386496, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624c29baad734a210134b02c", "name": "State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage", "description": "Geopolitical tensions often make headlines and present a golden opportunity for threat actors to exploit the situation, especially those targeting high-profile victims. In the past month while the Russian invasion of Ukraine was unfolding, Check Point Research (CPR) has observed advanced persistent threat (APT) groups around the world launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails using the war as a lure. The attackers use decoys ranging from official-looking documents to news articles or even job postings, depending on the targets and region. Many of these lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks.", "modified": "2022-05-05T00:01:02.977000", "created": "2022-04-05T11:36:25.752000", "tags": [ "APT", "spear-phishing", "Ukraine", "geopolitical conflict" ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "public": 1, "adversary": "El Machete, SideWinder, Lyceum", "targeted_countries": [ "Ukraine", "Russian Federation" ], "malware_families": [ { "id": "Golang", "display_name": "Golang", "target": null }, { "id": "SideWinder", "display_name": "SideWinder", "target": null }, { "id": "Lyceum", "display_name": "Lyceum", "target": null }, { "id": "El Machete", "display_name": "El Machete", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Maritime", "Energy", "Government", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 269, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 35, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "CVE": 1, "URL": 4, "YARA": 5, "hostname": 1 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 386500, "modified_text": "1487 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff12aea0b9ba91d923da14", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:15:10.602000", "created": "2025-04-16T02:15:10.602000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff1245d4dc2a56e5561a57", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:13:25.801000", "created": "2025-04-16T02:13:25.801000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6773390f17d71879c414676a", "name": "El Machete", "description": "El Machete es un grupo de ciberespionaje activo desde al menos 2014, enfocado en atacar principalmente a naciones de habla hispana. Este grupo es conocido por su sofisticada malware y t\u00e1cticas de exfiltraci\u00f3n de datos, con un enfoque en objetivos de alto perfil, como agencias gubernamentales y organizaciones estrat\u00e9gicas.", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:21:35.813000", "tags": [ "cve201711882", "cve20201472", "El Machete" ], "references": [], "public": 1, "adversary": "El Machete", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 473, "FileHash-SHA1": 471, "FileHash-SHA256": 500, "CVE": 9, "domain": 60, "hostname": 18 }, "indicator_count": 1531, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67733b72d522398f5ea0a12d", "name": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar", "description": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar con Intereses en la Administraci\u00f3n P\u00fablica de la Rep\u00fablica Dominicana, Diciembre 2024", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:31:46.858000", "tags": [ "cve201711882", "cve20201472" ], "references": [], "public": 1, "adversary": "El Machete, TAG-100, Mirage, Unamed_Grooup", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2631, "FileHash-SHA1": 2168, "FileHash-SHA256": 3401, "CVE": 25, "domain": 977, "hostname": 1226 }, "indicator_count": 10428, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708f66513978034c1c91b0", "name": "Undefined Name", "description": "", "modified": "2023-12-06T15:12:38.363000", "created": "2023-12-06T15:12:38.363000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 256, "domain": 159, "FileHash-MD5": 179, "FileHash-SHA1": 168, "URL": 96, "IPv4": 85, "hostname": 21 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a240e3ecd94ddae472eb6a", "name": "test", "description": "", "modified": "2022-07-09T00:01:52.431000", "created": "2022-06-09T18:50:11.481000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "626d6d47f6da18014c30df7e", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 179, "FileHash-SHA1": 168, "FileHash-SHA256": 256, "domain": 159, "IPv4": 85, "hostname": 21, "URL": 96 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 510, "modified_text": "1422 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624ed1da7f2db82cc9493398", "name": "State-sponsored Attack Groups Launch Spear-phishing Campaigns Using Russia-Ukraine War as a Lure", "description": "At least three different APT groups from across the globe have launched spear-phishing campaigns in mid-March 2022. The attackers are using the ongoing Russo-Ukrainian war as a lure to distribute malware and steal sensitive information.\n\nVictims \nEnergy, financial, and governmental sectors in Nicaragua, Venezuela, Israel, Saudi Arabia, and Pakistan.\n\nThe decoys\nThe campaigns, undertaken by El Machete, Lyceum, and SideWinder, use decoys ranging from official-looking documents to news articles or job postings, depending on the targets and region. Many of the lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations and then launch malware attacks.", "modified": "2022-05-07T00:03:18.570000", "created": "2022-04-07T11:58:18.658000", "tags": [ "iocs lyceum", "el machete", "sidewinder apt", "Russia-Ukraine" ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 35, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "hostname": 1 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 195, "modified_text": "1485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624be75d683cfc55476c6350", "name": "State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage - Check Point Research", "description": "State-sponsored cyber-espionage groups around the world are using the ongoing Russia-Ukraine war as a bait for their operations, according to research by Check Point Research, a leading security firm.", "modified": "2022-05-05T00:01:02.977000", "created": "2022-04-05T06:53:17.579000", "tags": [ "golang", "dns", "tcp", "http", "blogspot", "adobe.msi", "el machete", "lyceum", "c server", "ukraine", "python", "apt group", "middle east", "dnsdig", "saudi arabia", "nicaragua", "c communication", "sidewinder", "dark", "kremlin", "keylogger", "agent", "virustotal", "impact", "decoy", "cve201711882", "webdl" ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "public": 1, "adversary": "El Machete", "targeted_countries": [ "China", "Iran, Islamic Republic of", "Venezuela, Bolivarian Republic of", "Nicaragua", "Pakistan", "Ukraine", "Russian Federation" ], "malware_families": [ { "id": "Golang", "display_name": "Golang", "target": null }, { "id": "DNS", "display_name": "DNS", "target": null }, { "id": "TCP", "display_name": "TCP", "target": null }, { "id": "HTTP", "display_name": "HTTP", "target": null }, { "id": "Adobe.msi", "display_name": "Adobe.msi", "target": null }, { "id": "BlogSpot", "display_name": "BlogSpot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Maritime", "Energy", "Government", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5, "URL": 8, "domain": 9, "FileHash-MD5": 35, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "CVE": 1, "YARA": 5 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 871, "modified_text": "1487 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "solutionconect.online", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "solutionconect.online", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780212894.264637 }