{ "type": "Domain", "indicator": "statswpmy.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/statswpmy.com", "alexa": "http://www.alexa.com/siteinfo/statswpmy.com", "indicator": "statswpmy.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4163312133, "indicator": "statswpmy.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d1305db43a2aeb5769dd8a", "name": "Mustard Tempest and the multi-stage malware delivery chain", "description": "The recent activity of the hacker group Cloud Atlas has shown a significant shift in tactics, focusing on leveraging compromised legitimate domains rather than using their infrastructure for malware dissemination. In a targeted campaign against Russian industrial and military organizations, they utilized a decoy DOC file to initiate the download of malware via RTF templates. Subsequent components and payloads were delivered through WebDAV resources on previously legitimate domains, specifically http://atelierdebondy.fr and http://kommando.live, both now compromised.", "modified": "2026-04-04T15:38:05.688000", "created": "2026-04-04T15:38:05.688000", "tags": [ "mustard tempest", "\u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0435 \u043f\u043e", "\u0444\u0438\u0448\u0438\u043d\u0433", "webdav", "pdns", "cms", "tld", "cloud atlas", "cybersecurity", "\u043a\u0438\u0431\u0435\u0440\u0430\u0442\u0430\u043a\u0438", "fakeupdates", "javascript", "atlas", "cloud", "socgholish", "maas", "kommando", "tempest", "ttps", "telegram", "iframe", "hijackloader", "\u0438\u0434\u0435\u043d\u0442\u0438\u0447\u043d\u044b\u0439" ], "references": [ "https://habr.com/ru/companies/pt/articles/1017942/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [ "E-commerce", "Retail" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 10 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694206c7b0f07d2481d4f0ec", "name": "The Detection & Response Chronicles: Exploring Telegram Abuse", "description": "Adversaries increasingly exploit messaging applications like Telegram for malicious activities due to its features that support anonymity, resilience, and ease of communication. In recent security assessments from NVISO's Security Operations Center (SOC), four distinct intrusion attempts notably utilizing Telegram have been identified since October 2025, underscoring its role in various cyberattack strategies.\n\nTelegram acts as a cloud-based messaging platform that facilitates encrypted communications and supports a robust Bot API. This API is frequently co-opted by threat actors who either hard-code bot tokens or leverage particular channels for command-and-control (C2) functions. The platform's characteristics make it appealing for attackers seeking reliable and anonymous ways to execute operations or communicate with compromised systems.", "modified": "2025-12-17T01:26:31.939000", "created": "2025-12-17T01:26:31.939000", "tags": [ "telegram", "strong", "remoteurl", "telegram abuse", "requesturl", "detection", "filename", "response", "nviso", "december", "malware", "monitoring", "stealer", "union", "latrodectus", "hijackloader", "lumma stealer", "raven", "powershell", "discord", "click", "pingback", "fakeupdates deerstealer", "rot15" ], "references": [ "https://blog.nviso.eu/2025/12/16/the-detection-response-chronicles-exploring-telegram-abuse/" ], "public": 1, "adversary": "Lunar_spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 30, "domain": 2 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "164 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book1.csv", "https://habr.com/ru/companies/pt/articles/1017942/", "https://blog.nviso.eu/2025/12/16/the-detection-response-chronicles-exploring-telegram-abuse/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Lunar_spider", "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5." ], "malware_families": [ "" ], "industries": [ "Retail", "E-commerce" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d1305db43a2aeb5769dd8a", "name": "Mustard Tempest and the multi-stage malware delivery chain", "description": "The recent activity of the hacker group Cloud Atlas has shown a significant shift in tactics, focusing on leveraging compromised legitimate domains rather than using their infrastructure for malware dissemination. In a targeted campaign against Russian industrial and military organizations, they utilized a decoy DOC file to initiate the download of malware via RTF templates. Subsequent components and payloads were delivered through WebDAV resources on previously legitimate domains, specifically http://atelierdebondy.fr and http://kommando.live, both now compromised.", "modified": "2026-04-04T15:38:05.688000", "created": "2026-04-04T15:38:05.688000", "tags": [ "mustard tempest", "\u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0435 \u043f\u043e", "\u0444\u0438\u0448\u0438\u043d\u0433", "webdav", "pdns", "cms", "tld", "cloud atlas", "cybersecurity", "\u043a\u0438\u0431\u0435\u0440\u0430\u0442\u0430\u043a\u0438", "fakeupdates", "javascript", "atlas", "cloud", "socgholish", "maas", "kommando", "tempest", "ttps", "telegram", "iframe", "hijackloader", "\u0438\u0434\u0435\u043d\u0442\u0438\u0447\u043d\u044b\u0439" ], "references": [ "https://habr.com/ru/companies/pt/articles/1017942/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [ "E-commerce", "Retail" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 10 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694206c7b0f07d2481d4f0ec", "name": "The Detection & Response Chronicles: Exploring Telegram Abuse", "description": "Adversaries increasingly exploit messaging applications like Telegram for malicious activities due to its features that support anonymity, resilience, and ease of communication. In recent security assessments from NVISO's Security Operations Center (SOC), four distinct intrusion attempts notably utilizing Telegram have been identified since October 2025, underscoring its role in various cyberattack strategies.\n\nTelegram acts as a cloud-based messaging platform that facilitates encrypted communications and supports a robust Bot API. This API is frequently co-opted by threat actors who either hard-code bot tokens or leverage particular channels for command-and-control (C2) functions. The platform's characteristics make it appealing for attackers seeking reliable and anonymous ways to execute operations or communicate with compromised systems.", "modified": "2025-12-17T01:26:31.939000", "created": "2025-12-17T01:26:31.939000", "tags": [ "telegram", "strong", "remoteurl", "telegram abuse", "requesturl", "detection", "filename", "response", "nviso", "december", "malware", "monitoring", "stealer", "union", "latrodectus", "hijackloader", "lumma stealer", "raven", "powershell", "discord", "click", "pingback", "fakeupdates deerstealer", "rot15" ], "references": [ "https://blog.nviso.eu/2025/12/16/the-detection-response-chronicles-exploring-telegram-abuse/" ], "public": 1, "adversary": "Lunar_spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 30, "domain": 2 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "164 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "statswpmy.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "statswpmy.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173774.9590466 }