{ "type": "Domain", "indicator": "steamhostserver.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/steamhostserver.cc", "alexa": "http://www.alexa.com/siteinfo/steamhostserver.cc", "indicator": "steamhostserver.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4297597747, "indicator": "steamhostserver.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6a09a5e6794daa366c9ed8b6", "name": "Fake OpenClaw Installer Used to Steal Crypto Wallets and Password Managers", "description": "", "modified": "2026-05-17T11:26:30.062000", "created": "2026-05-17T11:26:30.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 12, "IPv4": 7, "domain": 7, "hostname": 2 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04e457fd36871681034888", "name": "bhishmarlodndsaa", "description": "The full text of the text above the full translation of this page: www.beuskq/raw..com. and here is a full list of text-based descriptions:-.", "modified": "2026-05-13T20:51:35.181000", "created": "2026-05-13T20:51:35.181000", "tags": [ "indicator name", "ydznvjljcz6f7" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 16, "FileHash-MD5": 81, "FileHash-SHA1": 46, "FileHash-SHA256": 56, "URL": 3, "domain": 6, "hostname": 4 }, "indicator_count": 212, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03bf4773b48c0ba5708a9c", "name": "hjkhhkjhjhkhkj", "description": "The following is the full text of the text-based code that has been used to identify and identify people using the word \"deepseek\" as a means of identifying and identifying them from the public.", "modified": "2026-05-13T00:01:11.186000", "created": "2026-05-13T00:01:11.186000", "tags": [ "indicator name", "ydznvjljcz6f7", "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 153, "FileHash-MD5": 186, "FileHash-SHA1": 85, "FileHash-SHA256": 81, "IPv4": 657, "domain": 211, "hostname": 561 }, "indicator_count": 1934, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01c0ba11024cf6c7cad206", "name": "OpenClaw\u2019s Hologram: Fake Installer Ships Rust Infostealer", "description": "A look back at some of the key events in the recent months, as well as the findings of Netskope Threat Labs' analysis of a fake OpenClaw installer campaign that has been active since February 2026.", "modified": "2026-05-11T11:42:50.647000", "created": "2026-05-11T11:42:50.647000", "tags": [ "hologram", "hookdeck", "azure devops", "hologram https", "netskope", "february", "pathfinder", "vini egerland", "ledger live", "netskope threat", "april", "telegram", "vidar", "ghostsocks", "rust", "defender", "phantom", "wave", "music", "powershell", "loader", "global", "back", "mb", "pe", "huntress" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MB", "display_name": "MB", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 7, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 12, "URL": 3, "domain": 11, "hostname": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0143fbf456973ed639a693", "name": "IOC - OpenClaw\u2019s Hologram: Fake Installer Ships Rust Infostealer", "description": "Netskope Threat Labs has found a fake OpenClaw installer delivering red-team-grade capabilities\u2014all pointed at stealing credentials from over 250 crypto wallet and password manager extensions. The dropper\u2019s manifest doesn\u2019t hide the intent: \u201cHologram \u2013 Decoy entity generator for tactical misdirection.\u201d", "modified": "2026-05-11T02:50:35.847000", "created": "2026-05-11T02:50:35.847000", "tags": [ "rust", "packer c2", "packer https", "pe loader", "hologram system", "hologram c2", "telegram bot", "azure devops", "c2 config", "pathfinder", "c2 beacon", "hologram", "delivery site", "c2 relay", "payload", "loader" ], "references": [ "https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 12, "IPv4": 7, "URL": 2, "domain": 9, "hostname": 2 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d41cc8101d74a43d5af53b", "name": "uyiygygyuguhiui", "description": "Hundreds of thousands of people have signed an online petition calling for the server to be shut down in the UK and Ireland, but what does the public say about its use and how much it will cost?", "modified": "2026-05-06T20:14:09.101000", "created": "2026-04-06T20:51:20.071000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 156, "FileHash-SHA1": 156, "FileHash-SHA256": 156, "domain": 2 }, "indicator_count": 470, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.csv", "https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053" ], "malware_families": [ "Huntress", "Pe", "Vidar", "Mb" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6a09a5e6794daa366c9ed8b6", "name": "Fake OpenClaw Installer Used to Steal Crypto Wallets and Password Managers", "description": "", "modified": "2026-05-17T11:26:30.062000", "created": "2026-05-17T11:26:30.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 12, "IPv4": 7, "domain": 7, "hostname": 2 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04e457fd36871681034888", "name": "bhishmarlodndsaa", "description": "The full text of the text above the full translation of this page: www.beuskq/raw..com. and here is a full list of text-based descriptions:-.", "modified": "2026-05-13T20:51:35.181000", "created": "2026-05-13T20:51:35.181000", "tags": [ "indicator name", "ydznvjljcz6f7" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 16, "FileHash-MD5": 81, "FileHash-SHA1": 46, "FileHash-SHA256": 56, "URL": 3, "domain": 6, "hostname": 4 }, "indicator_count": 212, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03bf4773b48c0ba5708a9c", "name": "hjkhhkjhjhkhkj", "description": "The following is the full text of the text-based code that has been used to identify and identify people using the word \"deepseek\" as a means of identifying and identifying them from the public.", "modified": "2026-05-13T00:01:11.186000", "created": "2026-05-13T00:01:11.186000", "tags": [ "indicator name", "ydznvjljcz6f7", "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 153, "FileHash-MD5": 186, "FileHash-SHA1": 85, "FileHash-SHA256": 81, "IPv4": 657, "domain": 211, "hostname": 561 }, "indicator_count": 1934, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01c0ba11024cf6c7cad206", "name": "OpenClaw\u2019s Hologram: Fake Installer Ships Rust Infostealer", "description": "A look back at some of the key events in the recent months, as well as the findings of Netskope Threat Labs' analysis of a fake OpenClaw installer campaign that has been active since February 2026.", "modified": "2026-05-11T11:42:50.647000", "created": "2026-05-11T11:42:50.647000", "tags": [ "hologram", "hookdeck", "azure devops", "hologram https", "netskope", "february", "pathfinder", "vini egerland", "ledger live", "netskope threat", "april", "telegram", "vidar", "ghostsocks", "rust", "defender", "phantom", "wave", "music", "powershell", "loader", "global", "back", "mb", "pe", "huntress" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MB", "display_name": "MB", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 7, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 12, "URL": 3, "domain": 11, "hostname": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0143fbf456973ed639a693", "name": "IOC - OpenClaw\u2019s Hologram: Fake Installer Ships Rust Infostealer", "description": "Netskope Threat Labs has found a fake OpenClaw installer delivering red-team-grade capabilities\u2014all pointed at stealing credentials from over 250 crypto wallet and password manager extensions. The dropper\u2019s manifest doesn\u2019t hide the intent: \u201cHologram \u2013 Decoy entity generator for tactical misdirection.\u201d", "modified": "2026-05-11T02:50:35.847000", "created": "2026-05-11T02:50:35.847000", "tags": [ "rust", "packer c2", "packer https", "pe loader", "hologram system", "hologram c2", "telegram bot", "azure devops", "c2 config", "pathfinder", "c2 beacon", "hologram", "delivery site", "c2 relay", "payload", "loader" ], "references": [ "https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 12, "IPv4": 7, "URL": 2, "domain": 9, "hostname": 2 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d41cc8101d74a43d5af53b", "name": "uyiygygyuguhiui", "description": "Hundreds of thousands of people have signed an online petition calling for the server to be shut down in the UK and Ireland, but what does the public say about its use and how much it will cost?", "modified": "2026-05-06T20:14:09.101000", "created": "2026-04-06T20:51:20.071000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 156, "FileHash-SHA1": 156, "FileHash-SHA256": 156, "domain": 2 }, "indicator_count": 470, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "steamhostserver.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "steamhostserver.cc", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780185076.3070333 }