{ "type": "Domain", "indicator": "ssl2.space", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ssl2.space", "alexa": "http://www.alexa.com/siteinfo/ssl2.space", "indicator": "ssl2.space", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4166348738, "indicator": "ssl2.space", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69482851d7b116174128285b", "name": "Black Hole of Trust: SEO Poisoning in Silver Fox's Space Odyssey", "description": "Silver Fox, an advanced persistent threat (APT) group based in China, has been active since its emergence in 2022, with significant operations documented through 2024. The group's tactics, techniques, and procedures (TTPs) notably include SEO poisoning to direct users to malicious domains masquerading as legitimate applications, such as Microsoft Teams. This campaign was partially uncovered through an exposed link management panel that is believed to facilitate the tracking of download activity for backdoor installer applications.", "modified": "2026-01-20T16:05:07.439000", "created": "2025-12-21T17:03:13.273000", "tags": [ "remote access", "holdinghands", "gh0st", "seo" ], "references": [ "https://www.nccgroup.com/media/yc3dlppc/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey.pdf" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1036.006", "name": "Space after Filename", "display_name": "T1036.006 - Space after Filename" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [ "Financial", "Medical", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 45, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.nccgroup.com/media/yc3dlppc/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey.pdf", "Book2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "Silver Fox" ], "malware_families": [], "industries": [ "Financial", "Technology", "Medical" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69482851d7b116174128285b", "name": "Black Hole of Trust: SEO Poisoning in Silver Fox's Space Odyssey", "description": "Silver Fox, an advanced persistent threat (APT) group based in China, has been active since its emergence in 2022, with significant operations documented through 2024. The group's tactics, techniques, and procedures (TTPs) notably include SEO poisoning to direct users to malicious domains masquerading as legitimate applications, such as Microsoft Teams. This campaign was partially uncovered through an exposed link management panel that is believed to facilitate the tracking of download activity for backdoor installer applications.", "modified": "2026-01-20T16:05:07.439000", "created": "2025-12-21T17:03:13.273000", "tags": [ "remote access", "holdinghands", "gh0st", "seo" ], "references": [ "https://www.nccgroup.com/media/yc3dlppc/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey.pdf" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1036.006", "name": "Space after Filename", "display_name": "T1036.006 - Space after Filename" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [ "Financial", "Medical", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 45, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ssl2.space", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ssl2.space", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780249453.2828405 }