{ "type": "Domain", "indicator": "ssl87362.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ssl87362.com", "alexa": "http://www.alexa.com/siteinfo/ssl87362.com", "indicator": "ssl87362.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4041513308, "indicator": "ssl87362.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "67c1918118f436e845d1d994", "name": "Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "The Vo1d botnet has infected 1.6 million Android TV devices across 200+ countries, posing a significant cybersecurity threat. This new variant demonstrates enhanced stealth and resilience, utilizing RSA encryption, DGA-based infrastructure, and a modified XXTEA algorithm. The botnet's scale and capabilities surpass previous major attacks, potentially enabling devastating DDoS attacks or unauthorized content broadcasting. Analysis reveals a sophisticated multi-component system including downloaders, backdoors, and modular malware for proxy services and ad fraud. The botnet's rapid growth and evasion techniques highlight the urgent need for improved security measures in smart TV devices and set-top boxes.", "modified": "2025-03-30T10:00:20.183000", "created": "2025-02-28T10:35:45.145000", "tags": [ "vo1d", "proxy network", "botnet", "android tv", "set-top box" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet" ], "public": 1, "adversary": "Vo1d", "targeted_countries": [ "Brazil", "South Africa", "Indonesia", "Argentina", "Thailand", "China", "Morocco", "Philippines", "Germany", "Malaysia", "Pakistan", "Iraq", "Mexico", "Russian Federation", "Ecuador", "British Indian Ocean Territory", "India", "United States of America" ], "malware_families": [ { "id": "Vo1d", "display_name": "Vo1d", "target": null }, { "id": "Mzmess", "display_name": "Mzmess", "target": null }, { "id": "BigPanzi", "display_name": "BigPanzi", "target": null } ], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Media", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 1, "URL": 15, "domain": 8, "hostname": 1 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 387118, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c58af18e57e8aa6e5eecb7", "name": "Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "On February 24, 2025, NBC News reported: \"Unauthorized AI-generated footage suddenly played on televisions at the U.S. Department of Housing and Urban Development (HUD) headquarters in Washington, D.C. The video showed President Donald Trump bowing to kiss Elon Musk's toes, accompanied by the bold caption LONG LIVE THE REAL KING. Staff were unable to shut it down and had to unplug all TVs.\" The incident quickly sparked widespread public debate and caught the attention of the cybersecurity community, prompting a reevaluation of the significant risks posed by hacked devices like televisions and set-top boxes.", "modified": "2025-04-02T10:03:00.822000", "created": "2025-03-03T10:56:49.370000", "tags": [ "dga", "botnet", "android", "backdoor", "en", "vo1d", "vo1d botnet", "january", "february", "china", "below", "redirector c2", "bigpanzi", "dga algorithm", "codomain system", "downloader", "impact", "twitter", "fraud", "drop", "python", "dexloader", "test", "leave", "virustotal" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/#ioc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 15, "domain": 31, "hostname": 15 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c18be84642fbcfd094c2ce", "name": "Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "A new variant of the Vo1d botnet is taking control of 1.6 million Android TV devices worldwide, according to a new report by cybersecurity researchers XLab and its artificial intelligence unit.", "modified": "2025-03-30T10:00:20.183000", "created": "2025-02-28T10:11:52.868000", "tags": [ "dga", "en", "android", "backdoor", "botnet", "vo1d", "vo1d botnet", "january", "february", "china", "below", "redirector c2", "dga algorithm", "codomain system", "xxtea key", "downloader", "impact", "twitter", "fraud", "drop", "python", "dexloader", "test", "leave", "virustotal", "bigpanzi", "mirai", "dex" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "United States of America", "China" ], "malware_families": [ { "id": "Bigpanzi", "display_name": "Bigpanzi", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "DEX", "display_name": "DEX", "target": null }, { "id": "Vo1d", "display_name": "Vo1d", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 1, "URL": 15, "domain": 31, "hostname": 15 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c50bcf4324f36d0a25634e", "name": "IOC&TTP - Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "2025\u5e742\u670824\u65e5\uff0c\u7f8e\u56fd\u5168\u56fd\u5e7f\u64ad\u516c\u53f8\uff08NBC News\uff09\u62a5\u9053\u79f0\uff0c\u7f8e\u56fd\u4f4f\u623f\u4e0e\u57ce\u5e02\u53d1\u5c55\u90e8\uff08HUD\uff09\u603b\u90e8\u7684\u7535\u89c6\u8bbe\u5907\u88ab\u9ed1\u5ba2\u63a7\u5236\uff0c\u64ad\u653e\u4e86\u4e00\u6bb5\u672a\u7ecf\u6388\u6743\u7684AI\u751f\u6210\u89c6\u9891\uff0c\u5f15\u53d1\u793e\u4f1a\u5e7f\u6cdb\u5173\u6ce8\u3002\u8fd9\u4e00\u4e8b\u4ef6\u63ed\u793a\u4e86Vo1d\u50f5\u5c38\u7f51\u7edc\u7684\u65b0\u4e00\u8f6e\u653b\u51fb\u6d3b\u52a8\uff0c\u8be5\u50f5\u5c38\u7f51\u7edc\u5df2\u611f\u67d3\u5168\u7403160\u4e07\u53f0Android\u7535\u89c6\u8bbe\u5907\uff0c\u8986\u76d6\u5168\u7403200\u591a\u4e2a\u56fd\u5bb6\u548c\u5730\u533a\u3002\n\n\u7814\u7a76\u8868\u660e\uff0cVo1d\u50f5\u5c38\u7f51\u7edc\u901a\u8fc7\u6076\u610fDownloader\uff08\u5982s63\uff09\u4f20\u64ad\uff0c\u5229\u7528\u9ad8\u7ea7\u52a0\u5bc6\u7b97\u6cd5\uff08\u5982asr_xxtea\uff09\u8fdb\u884cPayload\u89e3\u5bc6\uff0c\u5e76\u901a\u8fc7RSA\u52a0\u5bc6\u6280\u672f\u4fdd\u62a4C2\uff08\u6307\u6325\u63a7\u5236\uff09\u670d\u52a1\u5668\u4e0d\u88ab\u63a5\u7ba1\u3002\u5176\u4e3b\u8981\u7528\u9014\u5305\u62ec\u5927\u89c4\u6a21DDoS\u653b\u51fb\u3001\u4ee3\u7406\u7f51\u7edc\u642d\u5efa\u3001\u5e7f\u544a\u63a8\u5e7f\u548c\u6d41\u91cf\u6b3a\u8bc8\u7b49\u6076\u610f\u6d3b\u52a8\u3002\u6b64\u5916\uff0cVo1d\u8fd8\u53ef\u80fd\u7528\u4e8e\u4fe1\u606f\u64cd\u7eb5\uff0c\u901a\u8fc7\u52ab\u6301\u7535\u89c6\u8bbe\u5907\u4f20\u64ad\u865a\u5047\u6216\u717d\u52a8\u6027\u5185\u5bb9\uff0c\u5f71\u54cd\u793e\u4f1a\u7a33\u5b9a\u3002\n\nVo1d\u50f5\u5c38\u7f51\u7edc\u91c7\u7528\u4e86\u5148\u8fdb\u7684C2\u57fa\u7840\u8bbe\u65bd\uff0c\u5305\u62ecDGA\uff08\u57df\u540d\u751f\u6210\u7b97\u6cd5\uff09\u751f\u6210\u7684\u6570\u4e07\u4e2a\u57df\u540d\uff0c\u5e76\u5f15\u5165\u4e86Redirector C2\u673a\u5236\u6765\u589e\u5f3a\u9690\u853d\u6027\u3002\u7814\u7a76\u53d1\u73b0\uff0c\u8be5\u7f51\u7edc\u53ef\u80fd\u79df\u8d41\u7ed9\u5176\u4ed6\u9ed1\u4ea7\u56e2\u4f19\uff0c\u4ee5\u652f\u6301\u591a\u79cd\u975e\u6cd5\u4e1a\u52a1\uff0c\u5982Mzmess\u6076\u610f\u8f6f\u4ef6\u5bb6\u65cf\uff0c\u5176\u6a21\u5757\u5316\u7ed3\u6784\u652f\u6301\u8fdc\u7a0b\u63a7\u5236\u3001\u5e7f\u544a\u6295\u653e\u548c\u4ee3\u7406\u6d41\u91cf\u670d\u52a1\u3002\n\n\u7814\u7a76\u4eba\u5458\u8b66\u544a\uff0cVo1d\u50f5\u5c38\u7f51\u7edc\u7684\u6301\u7eed\u8fdb\u5316\u548c\u5e7f\u6cdb\u611f\u67d3\u5bf9\u5168\u7403\u7f51\u7edc\u5b89\u5168\u6784\u6210\u4e25\u91cd\u5a01\u80c1\uff0c\u5e76\u547c\u5401\u5b89\u5168\u793e\u533a\u52a0\u5f3a\u76d1\u6d4b\u4e0e\u9632\u5fa1\uff0c\u4ee5\u9632\u6b62\u66f4\u5927\u89c4\u6a21\u7684\u7f51\u7edc\u653b\u51fb\u548c\u4fe1\u606f\u6218\u7684\u53d1\u751f\u3002", "modified": "2025-03-30T10:00:20.183000", "created": "2025-03-03T01:54:23.566000", "tags": [ "vo1d", "proxy network", "botnet", "android tv", "set-top box" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet" ], "public": 1, "adversary": "Vo1d", "targeted_countries": [ "Brazil", "South Africa", "Indonesia", "Argentina", "Thailand", "China", "Morocco", "Philippines", "Germany", "Malaysia", "Pakistan", "Iraq", "Mexico", "Russian Federation", "Ecuador", "British Indian Ocean Territory", "India", "United States of America" ], "malware_families": [ { "id": "Vo1d", "display_name": "Vo1d", "target": null }, { "id": "Mzmess", "display_name": "Mzmess", "target": null }, { "id": "BigPanzi", "display_name": "BigPanzi", "target": null } ], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Media", "Telecommunications" ], "TLP": "white", "cloned_from": "67c1918118f436e845d1d994", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 1, "URL": 15, "domain": 8, "hostname": 1 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet", "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/#ioc", "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/", "https://threatfox.abuse.ch/export/csv/recent/" ], "related": { "alienvault": { "adversary": [ "Vo1d" ], "malware_families": [ "Vo1d", "Mzmess", "Bigpanzi" ], "industries": [ "Telecommunications", "Media" ] }, "other": { "adversary": [ "Vo1d" ], "malware_families": [ "Vo1d", "Dex", "Mirai", "Mzmess", "Bigpanzi" ], "industries": [ "Telecommunications", "Media" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "67c1918118f436e845d1d994", "name": "Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "The Vo1d botnet has infected 1.6 million Android TV devices across 200+ countries, posing a significant cybersecurity threat. This new variant demonstrates enhanced stealth and resilience, utilizing RSA encryption, DGA-based infrastructure, and a modified XXTEA algorithm. The botnet's scale and capabilities surpass previous major attacks, potentially enabling devastating DDoS attacks or unauthorized content broadcasting. Analysis reveals a sophisticated multi-component system including downloaders, backdoors, and modular malware for proxy services and ad fraud. The botnet's rapid growth and evasion techniques highlight the urgent need for improved security measures in smart TV devices and set-top boxes.", "modified": "2025-03-30T10:00:20.183000", "created": "2025-02-28T10:35:45.145000", "tags": [ "vo1d", "proxy network", "botnet", "android tv", "set-top box" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet" ], "public": 1, "adversary": "Vo1d", "targeted_countries": [ "Brazil", "South Africa", "Indonesia", "Argentina", "Thailand", "China", "Morocco", "Philippines", "Germany", "Malaysia", "Pakistan", "Iraq", "Mexico", "Russian Federation", "Ecuador", "British Indian Ocean Territory", "India", "United States of America" ], "malware_families": [ { "id": "Vo1d", "display_name": "Vo1d", "target": null }, { "id": "Mzmess", "display_name": "Mzmess", "target": null }, { "id": "BigPanzi", "display_name": "BigPanzi", "target": null } ], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Media", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 1, "URL": 15, "domain": 8, "hostname": 1 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 387118, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c58af18e57e8aa6e5eecb7", "name": "Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "On February 24, 2025, NBC News reported: \"Unauthorized AI-generated footage suddenly played on televisions at the U.S. Department of Housing and Urban Development (HUD) headquarters in Washington, D.C. The video showed President Donald Trump bowing to kiss Elon Musk's toes, accompanied by the bold caption LONG LIVE THE REAL KING. Staff were unable to shut it down and had to unplug all TVs.\" The incident quickly sparked widespread public debate and caught the attention of the cybersecurity community, prompting a reevaluation of the significant risks posed by hacked devices like televisions and set-top boxes.", "modified": "2025-04-02T10:03:00.822000", "created": "2025-03-03T10:56:49.370000", "tags": [ "dga", "botnet", "android", "backdoor", "en", "vo1d", "vo1d botnet", "january", "february", "china", "below", "redirector c2", "bigpanzi", "dga algorithm", "codomain system", "downloader", "impact", "twitter", "fraud", "drop", "python", "dexloader", "test", "leave", "virustotal" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/#ioc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 15, "domain": 31, "hostname": 15 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c18be84642fbcfd094c2ce", "name": "Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "A new variant of the Vo1d botnet is taking control of 1.6 million Android TV devices worldwide, according to a new report by cybersecurity researchers XLab and its artificial intelligence unit.", "modified": "2025-03-30T10:00:20.183000", "created": "2025-02-28T10:11:52.868000", "tags": [ "dga", "en", "android", "backdoor", "botnet", "vo1d", "vo1d botnet", "january", "february", "china", "below", "redirector c2", "dga algorithm", "codomain system", "xxtea key", "downloader", "impact", "twitter", "fraud", "drop", "python", "dexloader", "test", "leave", "virustotal", "bigpanzi", "mirai", "dex" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "United States of America", "China" ], "malware_families": [ { "id": "Bigpanzi", "display_name": "Bigpanzi", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "DEX", "display_name": "DEX", "target": null }, { "id": "Vo1d", "display_name": "Vo1d", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 1, "URL": 15, "domain": 31, "hostname": 15 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c50bcf4324f36d0a25634e", "name": "IOC&TTP - Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally", "description": "2025\u5e742\u670824\u65e5\uff0c\u7f8e\u56fd\u5168\u56fd\u5e7f\u64ad\u516c\u53f8\uff08NBC News\uff09\u62a5\u9053\u79f0\uff0c\u7f8e\u56fd\u4f4f\u623f\u4e0e\u57ce\u5e02\u53d1\u5c55\u90e8\uff08HUD\uff09\u603b\u90e8\u7684\u7535\u89c6\u8bbe\u5907\u88ab\u9ed1\u5ba2\u63a7\u5236\uff0c\u64ad\u653e\u4e86\u4e00\u6bb5\u672a\u7ecf\u6388\u6743\u7684AI\u751f\u6210\u89c6\u9891\uff0c\u5f15\u53d1\u793e\u4f1a\u5e7f\u6cdb\u5173\u6ce8\u3002\u8fd9\u4e00\u4e8b\u4ef6\u63ed\u793a\u4e86Vo1d\u50f5\u5c38\u7f51\u7edc\u7684\u65b0\u4e00\u8f6e\u653b\u51fb\u6d3b\u52a8\uff0c\u8be5\u50f5\u5c38\u7f51\u7edc\u5df2\u611f\u67d3\u5168\u7403160\u4e07\u53f0Android\u7535\u89c6\u8bbe\u5907\uff0c\u8986\u76d6\u5168\u7403200\u591a\u4e2a\u56fd\u5bb6\u548c\u5730\u533a\u3002\n\n\u7814\u7a76\u8868\u660e\uff0cVo1d\u50f5\u5c38\u7f51\u7edc\u901a\u8fc7\u6076\u610fDownloader\uff08\u5982s63\uff09\u4f20\u64ad\uff0c\u5229\u7528\u9ad8\u7ea7\u52a0\u5bc6\u7b97\u6cd5\uff08\u5982asr_xxtea\uff09\u8fdb\u884cPayload\u89e3\u5bc6\uff0c\u5e76\u901a\u8fc7RSA\u52a0\u5bc6\u6280\u672f\u4fdd\u62a4C2\uff08\u6307\u6325\u63a7\u5236\uff09\u670d\u52a1\u5668\u4e0d\u88ab\u63a5\u7ba1\u3002\u5176\u4e3b\u8981\u7528\u9014\u5305\u62ec\u5927\u89c4\u6a21DDoS\u653b\u51fb\u3001\u4ee3\u7406\u7f51\u7edc\u642d\u5efa\u3001\u5e7f\u544a\u63a8\u5e7f\u548c\u6d41\u91cf\u6b3a\u8bc8\u7b49\u6076\u610f\u6d3b\u52a8\u3002\u6b64\u5916\uff0cVo1d\u8fd8\u53ef\u80fd\u7528\u4e8e\u4fe1\u606f\u64cd\u7eb5\uff0c\u901a\u8fc7\u52ab\u6301\u7535\u89c6\u8bbe\u5907\u4f20\u64ad\u865a\u5047\u6216\u717d\u52a8\u6027\u5185\u5bb9\uff0c\u5f71\u54cd\u793e\u4f1a\u7a33\u5b9a\u3002\n\nVo1d\u50f5\u5c38\u7f51\u7edc\u91c7\u7528\u4e86\u5148\u8fdb\u7684C2\u57fa\u7840\u8bbe\u65bd\uff0c\u5305\u62ecDGA\uff08\u57df\u540d\u751f\u6210\u7b97\u6cd5\uff09\u751f\u6210\u7684\u6570\u4e07\u4e2a\u57df\u540d\uff0c\u5e76\u5f15\u5165\u4e86Redirector C2\u673a\u5236\u6765\u589e\u5f3a\u9690\u853d\u6027\u3002\u7814\u7a76\u53d1\u73b0\uff0c\u8be5\u7f51\u7edc\u53ef\u80fd\u79df\u8d41\u7ed9\u5176\u4ed6\u9ed1\u4ea7\u56e2\u4f19\uff0c\u4ee5\u652f\u6301\u591a\u79cd\u975e\u6cd5\u4e1a\u52a1\uff0c\u5982Mzmess\u6076\u610f\u8f6f\u4ef6\u5bb6\u65cf\uff0c\u5176\u6a21\u5757\u5316\u7ed3\u6784\u652f\u6301\u8fdc\u7a0b\u63a7\u5236\u3001\u5e7f\u544a\u6295\u653e\u548c\u4ee3\u7406\u6d41\u91cf\u670d\u52a1\u3002\n\n\u7814\u7a76\u4eba\u5458\u8b66\u544a\uff0cVo1d\u50f5\u5c38\u7f51\u7edc\u7684\u6301\u7eed\u8fdb\u5316\u548c\u5e7f\u6cdb\u611f\u67d3\u5bf9\u5168\u7403\u7f51\u7edc\u5b89\u5168\u6784\u6210\u4e25\u91cd\u5a01\u80c1\uff0c\u5e76\u547c\u5401\u5b89\u5168\u793e\u533a\u52a0\u5f3a\u76d1\u6d4b\u4e0e\u9632\u5fa1\uff0c\u4ee5\u9632\u6b62\u66f4\u5927\u89c4\u6a21\u7684\u7f51\u7edc\u653b\u51fb\u548c\u4fe1\u606f\u6218\u7684\u53d1\u751f\u3002", "modified": "2025-03-30T10:00:20.183000", "created": "2025-03-03T01:54:23.566000", "tags": [ "vo1d", "proxy network", "botnet", "android tv", "set-top box" ], "references": [ "https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet" ], "public": 1, "adversary": "Vo1d", "targeted_countries": [ "Brazil", "South Africa", "Indonesia", "Argentina", "Thailand", "China", "Morocco", "Philippines", "Germany", "Malaysia", "Pakistan", "Iraq", "Mexico", "Russian Federation", "Ecuador", "British Indian Ocean Territory", "India", "United States of America" ], "malware_families": [ { "id": "Vo1d", "display_name": "Vo1d", "target": null }, { "id": "Mzmess", "display_name": "Mzmess", "target": null }, { "id": "BigPanzi", "display_name": "BigPanzi", "target": null } ], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Media", "Telecommunications" ], "TLP": "white", "cloned_from": "67c1918118f436e845d1d994", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 1, "URL": 15, "domain": 8, "hostname": 1 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ssl87362.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ssl87362.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780497607.7332237 }