{ "type": "Domain", "indicator": "stomcs.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/stomcs.com", "alexa": "http://www.alexa.com/siteinfo/stomcs.com", "indicator": "stomcs.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4197052021, "indicator": "stomcs.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "698b41f0cbddf7e999ffcef9", "name": "AI/LLM-Generated Malware Used to Exploit\u00a0React2Shell", "description": "", "modified": "2026-03-12T14:03:57.105000", "created": "2026-02-10T14:34:24.334000", "tags": [ "snappybee", "virtualprotect", "virtualalloc", "dllmain", "follow", "deed rat", "salt typhoon", "trendmicro", "november", "cobalt strike", "python", "malware", "loader" ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "URL": 7, "domain": 5 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698706eecc969b79f039207f", "name": "AppleScript Abuse: Unpacking a macOS Phishing Campaign", "description": "A recent malware campaign targeting macOS users has been identified, leveraging social engineering and the abuse of the macOS Transparency, Consent, and Control (TCC) feature. The primary attack vector begins with a phishing email that entices users to download an AppleScript file disguised as a genuine Microsoft document, titled \"Confirmation_Token_Vesting.docx.scpt\". This technique is designed to exploit the victim's trust, prompting them to execute the file.\n\nThe core of the attack utilizes AppleScript as a loader, effectively bypassing traditional security measures by manipulating the TCC authorizations. By doing so, the threat actor is able to achieve persistent access to the compromised network without the need to exploit any inherent software vulnerabilities. This method highlights the risks associated with social engineering and the potential for unauthorized access through trusted user interfaces.", "modified": "2026-03-09T09:03:33.048000", "created": "2026-02-07T09:33:34.247000", "tags": [ "snappybee", "virtualprotect", "virtualalloc", "dllmain", "follow", "deed rat", "salt typhoon", "trendmicro", "november", "cobalt strike", "python", "malware", "loader", "javascript", "darktrace", "darktrace identifies", "windows", "phishing", "tara gould" ], "references": [ "https://www.darktrace.com/blog/applescript-abuse-unpacking-a-macos-phishing-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Darktrace", "display_name": "Darktrace", "target": null }, { "id": "Darktrace Identifies", "display_name": "Darktrace Identifies", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Tara Gould", "display_name": "Tara Gould", "target": null }, { "id": "SnappyBee", "display_name": "SnappyBee", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 6, "domain": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69834660add8eb64927d7c1c", "name": "Threat Intelligence | Analysis of Token Vesting Phishing Poisoning", "description": "A targeted attack on the macOS operating system, using a disguised AppleScript, has been uncovered by researchers at the Chainbase Lab and the SlowMist security team, who are working with them to identify and identify the attackers.", "modified": "2026-03-06T13:05:53.910000", "created": "2026-02-04T13:15:12.674000", "tags": [ "applescript", "chainbase", "audit", "control", "january", "united nations", "intelligence", "analysis", "token vesting", "min read2", "phishing", "terminal", "desktop", "crypto" ], "references": [ "https://slowmist.medium.com/threat-intelligence-analysis-of-token-vesting-phishing-poisoning-50f39f5b9718" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 2, "domain": 4 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://slowmist.medium.com/threat-intelligence-analysis-of-token-vesting-phishing-poisoning-50f39f5b9718", "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN", "https://www.darktrace.com/blog/applescript-abuse-unpacking-a-macos-phishing-campaign" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cobalt strike", "Javascript", "Tara gould", "Phishing", "Darktrace identifies", "Snappybee", "Windows", "Darktrace" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "698b41f0cbddf7e999ffcef9", "name": "AI/LLM-Generated Malware Used to Exploit\u00a0React2Shell", "description": "", "modified": "2026-03-12T14:03:57.105000", "created": "2026-02-10T14:34:24.334000", "tags": [ "snappybee", "virtualprotect", "virtualalloc", "dllmain", "follow", "deed rat", "salt typhoon", "trendmicro", "november", "cobalt strike", "python", "malware", "loader" ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "URL": 7, "domain": 5 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698706eecc969b79f039207f", "name": "AppleScript Abuse: Unpacking a macOS Phishing Campaign", "description": "A recent malware campaign targeting macOS users has been identified, leveraging social engineering and the abuse of the macOS Transparency, Consent, and Control (TCC) feature. The primary attack vector begins with a phishing email that entices users to download an AppleScript file disguised as a genuine Microsoft document, titled \"Confirmation_Token_Vesting.docx.scpt\". This technique is designed to exploit the victim's trust, prompting them to execute the file.\n\nThe core of the attack utilizes AppleScript as a loader, effectively bypassing traditional security measures by manipulating the TCC authorizations. By doing so, the threat actor is able to achieve persistent access to the compromised network without the need to exploit any inherent software vulnerabilities. This method highlights the risks associated with social engineering and the potential for unauthorized access through trusted user interfaces.", "modified": "2026-03-09T09:03:33.048000", "created": "2026-02-07T09:33:34.247000", "tags": [ "snappybee", "virtualprotect", "virtualalloc", "dllmain", "follow", "deed rat", "salt typhoon", "trendmicro", "november", "cobalt strike", "python", "malware", "loader", "javascript", "darktrace", "darktrace identifies", "windows", "phishing", "tara gould" ], "references": [ "https://www.darktrace.com/blog/applescript-abuse-unpacking-a-macos-phishing-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Darktrace", "display_name": "Darktrace", "target": null }, { "id": "Darktrace Identifies", "display_name": "Darktrace Identifies", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Tara Gould", "display_name": "Tara Gould", "target": null }, { "id": "SnappyBee", "display_name": "SnappyBee", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 6, "domain": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69834660add8eb64927d7c1c", "name": "Threat Intelligence | Analysis of Token Vesting Phishing Poisoning", "description": "A targeted attack on the macOS operating system, using a disguised AppleScript, has been uncovered by researchers at the Chainbase Lab and the SlowMist security team, who are working with them to identify and identify the attackers.", "modified": "2026-03-06T13:05:53.910000", "created": "2026-02-04T13:15:12.674000", "tags": [ "applescript", "chainbase", "audit", "control", "january", "united nations", "intelligence", "analysis", "token vesting", "min read2", "phishing", "terminal", "desktop", "crypto" ], "references": [ "https://slowmist.medium.com/threat-intelligence-analysis-of-token-vesting-phishing-poisoning-50f39f5b9718" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 2, "domain": 4 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "stomcs.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "stomcs.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780214635.668641 }