{ "type": "Domain", "indicator": "stratioai.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/stratioai.org", "alexa": "http://www.alexa.com/siteinfo/stratioai.org", "indicator": "stratioai.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4166970201, "indicator": "stratioai.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "69b91b4202446dd5143da7c3", "name": "Boggy Serpens Threat Assessment", "description": "The Iranian threat group Boggy Serpens, linked to the Ministry of Intelligence and Security, has refined its cyberespionage tactics to focus on trusted relationship compromises and multi-wave targeting of strategic organizations. The group combines social engineering with AI-enhanced malware for long-term persistence, primarily targeting diplomatic and critical infrastructure sectors. Recent campaigns show increased technological capabilities, including AI-generated code and Rust-based tools. Boggy Serpens exploits hijacked accounts to bypass security measures and employs a secondary social engineering prompt to deliver malware. The group's determination is exemplified by a sustained four-wave campaign against a UAE marine and energy company, demonstrating its focus on infiltrating regional maritime infrastructure.", "modified": "2026-04-16T09:05:11.431000", "created": "2026-03-17T09:13:38.496000", "tags": [ "maritime", "nuso", "lamporat", "ai-enhanced malware", "trusted relationship compromise", "energy", "iranian", "cyberespionage", "udpgangster", "critical infrastructure", "blackbeard", "phoenix", "ghostbackdoor", "social engineering" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/Boggy-Serpens.png", "https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "Egypt", "Hungary", "Israel", "Saudi Arabia", "Turkmenistan" ], "malware_families": [ { "id": "GhostBackDoor", "display_name": "GhostBackDoor", "target": null }, { "id": "BlackBeard", "display_name": "BlackBeard", "target": null }, { "id": "UDPGangster", "display_name": "UDPGangster", "target": null }, { "id": "LampoRAT", "display_name": "LampoRAT", "target": null }, { "id": "Nuso", "display_name": "Nuso", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Energy", "Government", "Defense", "Telecommunications", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 31, "domain": 7, "hostname": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 386517, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c1f410e4279a65c5a7b06", "name": "Chronology of MuddyWater APT Attacks Targeting the Middle East", "description": "This report analyzes the recent activities of the MuddyWater APT group, which primarily targets organizations in the Middle East. The group employs sophisticated spear-phishing techniques, often impersonating legitimate entities and using malicious documents to gain initial access. Their attacks focus on long-term infiltration and intelligence gathering rather than immediate disruption. The report details several attack cases from 2019 to 2026, highlighting the group's evolving tactics, including the abuse of legitimate remote management tools and the use of Rust-based malware. The analysis emphasizes the importance of endpoint detection and response (EDR) solutions in identifying and mitigating these threats, as traditional perimeter-based security measures prove insufficient against such advanced persistent threats.", "modified": "2026-03-25T09:11:53.032000", "created": "2026-02-23T09:34:57.906000", "tags": [ "anydesk", "edr", "middle east", "syncro", "apt", "spear-phishing", "intelligence gathering", "teamviewer", "screenconnect", "initial access", "remote management tools", "atera", "splashtop", "rust-based malware" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/muddywater-apt?hs_amp=true" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "Egypt", "Iraq", "Israel", "Jordan", "Malaysia", "Oman", "Turkmenistan" ], "malware_families": [ { "id": "Syncro", "display_name": "Syncro", "target": null }, { "id": "Atera", "display_name": "Atera", "target": null }, { "id": "Splashtop", "display_name": "Splashtop", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "TeamViewer", "display_name": "TeamViewer", "target": null }, { "id": "ScreenConnect", "display_name": "ScreenConnect", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Government", "Telecommunications", "Education", "Finance", "Energy", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "domain": 2 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386516, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69497ab14e1d473cf9e65693", "name": "UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel", "description": "An analysis of threat clusters, dubbed UNG0801 or Operation IconCat, targeting Israeli organizations. The actors use socially engineered phishing lures in Hebrew, exploiting antivirus icon spoofing from well-known vendors like SentinelOne and Check Point. Two distinct infection chains were identified, both utilizing AV-themed decoys dropped by malicious Word and PDF documents. The first campaign deploys a PyInstaller-based implant called PYTRIC, capable of system-wide wipes and backup deletion. The second campaign uses a Rust-based implant named RUSTRIC, focusing on antivirus enumeration and system information gathering. Both campaigns share similar tactics but differ in their ultimate objectives, with the first aimed at destruction and the second at espionage.", "modified": "2026-01-21T17:03:45.685000", "created": "2025-12-22T17:06:57.658000", "tags": [ "av icon spoofing", "pytric", "israel", "telegram", "dropbox", "phishing", "pyinstaller", "rustric", "rust" ], "references": [ "https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/" ], "public": 1, "adversary": "UNG0801", "targeted_countries": [ "Israel" ], "malware_families": [ { "id": "PYTRIC", "display_name": "PYTRIC", "target": null }, { "id": "RUSTRIC", "display_name": "RUSTRIC", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Information Technology", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "domain": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386517, "modified_text": "129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b9c81b5002c642e96f806a", "name": "Boggy Serpens Threat Assessment", "description": "", "modified": "2026-04-16T09:05:11.431000", "created": "2026-03-17T21:31:07.240000", "tags": [ "maritime", "nuso", "lamporat", "ai-enhanced malware", "trusted relationship compromise", "energy", "iranian", "cyberespionage", "udpgangster", "critical infrastructure", "blackbeard", "phoenix", "ghostbackdoor", "social engineering" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/Boggy-Serpens.png", "https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/" ], "public": 1, "adversary": "Boggy Serpens", "targeted_countries": [ "Egypt", "Hungary", "Israel", "Saudi Arabia", "Turkmenistan" ], "malware_families": [ { "id": "GhostBackDoor", "display_name": "GhostBackDoor", "target": null }, { "id": "BlackBeard", "display_name": "BlackBeard", "target": null }, { "id": "UDPGangster", "display_name": "UDPGangster", "target": null }, { "id": "LampoRAT", "display_name": "LampoRAT", "target": null }, { "id": "Nuso", "display_name": "Nuso", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Energy", "Government", "Defense", "Telecommunications", "Finance" ], "TLP": "white", "cloned_from": "69b91b4202446dd5143da7c3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 31, "domain": 7, "hostname": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bba3d4b603d5d60b7ed018", "name": "IOC - Boggy Serpens Threat Assessment", "description": "", "modified": "2026-04-16T09:05:11.431000", "created": "2026-03-19T07:20:52.530000", "tags": [ "maritime", "nuso", "lamporat", "ai-enhanced malware", "trusted relationship compromise", "energy", "iranian", "cyberespionage", "udpgangster", "critical infrastructure", "blackbeard", "phoenix", "ghostbackdoor", "social engineering" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/Boggy-Serpens.png", "https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/" ], "public": 1, "adversary": "Boggy Serpens", "targeted_countries": [ "Egypt", "Hungary", "Israel", "Saudi Arabia", "Turkmenistan" ], "malware_families": [ { "id": "GhostBackDoor", "display_name": "GhostBackDoor", "target": null }, { "id": "BlackBeard", "display_name": "BlackBeard", "target": null }, { "id": "UDPGangster", "display_name": "UDPGangster", "target": null }, { "id": "LampoRAT", "display_name": "LampoRAT", "target": null }, { "id": "Nuso", "display_name": "Nuso", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Energy", "Government", "Defense", "Telecommunications", "Finance" ], "TLP": "white", "cloned_from": "69b91b4202446dd5143da7c3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 31, "domain": 7, "hostname": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a04928b5f1c2b7aa532d23", "name": "EbeeFeb2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:22:48.398000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "MuddyWater, Diesel Vortex, Delivering DEERSTEALER Infostealer, Nefilim Ransomware, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 188, "FileHash-SHA1": 106, "FileHash-SHA256": 198, "URL": 38, "domain": 161, "email": 3, "hostname": 222 }, "indicator_count": 916, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699d3e4be785424957c28c27", "name": "Chronology of MuddyWater APT Attacks Targeting the Middle East", "description": "", "modified": "2026-03-25T09:11:53.032000", "created": "2026-02-24T05:59:39.647000", "tags": [ "anydesk", "edr", "middle east", "syncro", "apt", "spear-phishing", "intelligence gathering", "teamviewer", "screenconnect", "initial access", "remote management tools", "atera", "splashtop", "rust-based malware" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/muddywater-apt?hs_amp=true" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "Egypt", "Iraq", "Israel", "Jordan", "Malaysia", "Oman", "Turkmenistan" ], "malware_families": [ { "id": "Syncro", "display_name": "Syncro", "target": null }, { "id": "Atera", "display_name": "Atera", "target": null }, { "id": "Splashtop", "display_name": "Splashtop", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "TeamViewer", "display_name": "TeamViewer", "target": null }, { "id": "ScreenConnect", "display_name": "ScreenConnect", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Government", "Telecommunications", "Education", "Finance", "Energy", "Technology" ], "TLP": "white", "cloned_from": "699c1f410e4279a65c5a7b06", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "domain": 2 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69646d650eea3ed54c6fc2df", "name": "IOC - Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant", "description": "CloudSEK's TRIAD recently identified a spear-phishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver \"RustyWater,\" a Rust-based implant representing a significant upgrade to their traditional toolkit", "modified": "2026-02-11T03:03:40.137000", "created": "2026-01-12T03:41:25.243000", "tags": [ "sha256 hash", "resolution", "email sha256", "hash" ], "references": [ "https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 10, "domain": 2 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6961d586e7dc3f6364fe6e91", "name": "MuddyWater Deploys Rust-Based Implants in Middle East Spearphishing Campaign", "description": "", "modified": "2026-02-09T04:04:57.573000", "created": "2026-01-10T04:28:54.582000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 1 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694a0d142408cd8c76aa5bb8", "name": "IOC - UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel", "description": "SEQRITE Labs\u2019 APT Team has been tracking Unknown-Clusters [UNG0801], a slightly advanced yet persistent threat entity believed to originate from Western Asia, with activity primarily observed against Israeli organizations. The cluster shows a strong focus on enterprise environments, relying on socially engineered phishing lures written in Hebrew and designed to resemble routine internal communications, such as compliance updates, security advisories, or corporate webinar announcements.", "modified": "2026-01-22T03:01:39.869000", "created": "2025-12-23T03:31:32.020000", "tags": [ "hash file", "type", "outlook", "documet", "pdf hostip", "addresses" ], "references": [ "https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "domain": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b7581cf14f205ff06abc2", "name": "UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel", "description": "", "modified": "2026-01-21T17:03:45.685000", "created": "2025-12-24T05:09:21.216000", "tags": [ "av icon spoofing", "pytric", "israel", "telegram", "dropbox", "phishing", "pyinstaller", "rustric", "rust" ], "references": [ "https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/" ], "public": 1, "adversary": "UNG0801", "targeted_countries": [ "Israel" ], "malware_families": [ { "id": "PYTRIC", "display_name": "PYTRIC", "target": null }, { "id": "RUSTRIC", "display_name": "RUSTRIC", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Information Technology", "Technology" ], "TLP": "white", "cloned_from": "69497ab14e1d473cf9e65693", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "domain": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.csv", "https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant", "Book2.csv", "https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/", "https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/", "https://www.genians.co.kr/en/blog/threat_intelligence/muddywater-apt?hs_amp=true", "IOCs.2026.4.csv", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/Boggy-Serpens.png" ], "related": { "alienvault": { "adversary": [ "MuddyWater", "UNG0801" ], "malware_families": [ "Syncro", "Lamporat", "Pytric", "Ghostbackdoor", "Splashtop", "Blackbeard", "Phoenix", "Screenconnect", "Udpgangster", "Atera", "Rustric", "Nuso", "Anydesk", "Teamviewer" ], "industries": [ "Defense", "Education", "Energy", "Technology", "Finance", "Telecommunications", "Information technology", "Government" ] }, "other": { "adversary": [ "UNG0801", "MuddyWater", "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "MuddyWater, Diesel Vortex, Delivering DEERSTEALER Infostealer, Nefilim Ransomware, Arkanix Stealer", "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "Boggy Serpens" ], "malware_families": [ "Syncro", "Lamporat", "Pytric", "Ghostbackdoor", "Splashtop", "Blackbeard", "Phoenix", "Screenconnect", "Udpgangster", "Atera", "Rustric", "Nuso", "Anydesk", "Teamviewer" ], "industries": [ "Defense", "Education", "Energy", "Technology", "Finance", "Telecommunications", "Information technology", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "69b91b4202446dd5143da7c3", "name": "Boggy Serpens Threat Assessment", "description": "The Iranian threat group Boggy Serpens, linked to the Ministry of Intelligence and Security, has refined its cyberespionage tactics to focus on trusted relationship compromises and multi-wave targeting of strategic organizations. The group combines social engineering with AI-enhanced malware for long-term persistence, primarily targeting diplomatic and critical infrastructure sectors. Recent campaigns show increased technological capabilities, including AI-generated code and Rust-based tools. Boggy Serpens exploits hijacked accounts to bypass security measures and employs a secondary social engineering prompt to deliver malware. The group's determination is exemplified by a sustained four-wave campaign against a UAE marine and energy company, demonstrating its focus on infiltrating regional maritime infrastructure.", "modified": "2026-04-16T09:05:11.431000", "created": "2026-03-17T09:13:38.496000", "tags": [ "maritime", "nuso", "lamporat", "ai-enhanced malware", "trusted relationship compromise", "energy", "iranian", "cyberespionage", "udpgangster", "critical infrastructure", "blackbeard", "phoenix", "ghostbackdoor", "social engineering" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/Boggy-Serpens.png", "https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "Egypt", "Hungary", "Israel", "Saudi Arabia", "Turkmenistan" ], "malware_families": [ { "id": "GhostBackDoor", "display_name": "GhostBackDoor", "target": null }, { "id": "BlackBeard", "display_name": "BlackBeard", "target": null }, { "id": "UDPGangster", "display_name": "UDPGangster", "target": null }, { "id": "LampoRAT", "display_name": "LampoRAT", "target": null }, { "id": "Nuso", "display_name": "Nuso", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Energy", "Government", "Defense", "Telecommunications", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 31, "domain": 7, "hostname": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 386517, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c1f410e4279a65c5a7b06", "name": "Chronology of MuddyWater APT Attacks Targeting the Middle East", "description": "This report analyzes the recent activities of the MuddyWater APT group, which primarily targets organizations in the Middle East. The group employs sophisticated spear-phishing techniques, often impersonating legitimate entities and using malicious documents to gain initial access. Their attacks focus on long-term infiltration and intelligence gathering rather than immediate disruption. The report details several attack cases from 2019 to 2026, highlighting the group's evolving tactics, including the abuse of legitimate remote management tools and the use of Rust-based malware. The analysis emphasizes the importance of endpoint detection and response (EDR) solutions in identifying and mitigating these threats, as traditional perimeter-based security measures prove insufficient against such advanced persistent threats.", "modified": "2026-03-25T09:11:53.032000", "created": "2026-02-23T09:34:57.906000", "tags": [ "anydesk", "edr", "middle east", "syncro", "apt", "spear-phishing", "intelligence gathering", "teamviewer", "screenconnect", "initial access", "remote management tools", "atera", "splashtop", "rust-based malware" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/muddywater-apt?hs_amp=true" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "Egypt", "Iraq", "Israel", "Jordan", "Malaysia", "Oman", "Turkmenistan" ], "malware_families": [ { "id": "Syncro", "display_name": "Syncro", "target": null }, { "id": "Atera", "display_name": "Atera", "target": null }, { "id": "Splashtop", "display_name": "Splashtop", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "TeamViewer", "display_name": "TeamViewer", "target": null }, { "id": "ScreenConnect", "display_name": "ScreenConnect", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Government", "Telecommunications", "Education", "Finance", "Energy", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "domain": 2 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386516, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69497ab14e1d473cf9e65693", "name": "UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel", "description": "An analysis of threat clusters, dubbed UNG0801 or Operation IconCat, targeting Israeli organizations. The actors use socially engineered phishing lures in Hebrew, exploiting antivirus icon spoofing from well-known vendors like SentinelOne and Check Point. Two distinct infection chains were identified, both utilizing AV-themed decoys dropped by malicious Word and PDF documents. The first campaign deploys a PyInstaller-based implant called PYTRIC, capable of system-wide wipes and backup deletion. The second campaign uses a Rust-based implant named RUSTRIC, focusing on antivirus enumeration and system information gathering. Both campaigns share similar tactics but differ in their ultimate objectives, with the first aimed at destruction and the second at espionage.", "modified": "2026-01-21T17:03:45.685000", "created": "2025-12-22T17:06:57.658000", "tags": [ "av icon spoofing", "pytric", "israel", "telegram", "dropbox", "phishing", "pyinstaller", "rustric", "rust" ], "references": [ "https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/" ], "public": 1, "adversary": "UNG0801", "targeted_countries": [ "Israel" ], "malware_families": [ { "id": "PYTRIC", "display_name": "PYTRIC", "target": null }, { "id": "RUSTRIC", "display_name": "RUSTRIC", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Information Technology", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "domain": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386517, "modified_text": "129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b9c81b5002c642e96f806a", "name": "Boggy Serpens Threat Assessment", "description": "", "modified": "2026-04-16T09:05:11.431000", "created": "2026-03-17T21:31:07.240000", "tags": [ "maritime", "nuso", "lamporat", "ai-enhanced malware", "trusted relationship compromise", "energy", "iranian", "cyberespionage", "udpgangster", "critical infrastructure", "blackbeard", "phoenix", "ghostbackdoor", "social engineering" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/Boggy-Serpens.png", "https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/" ], "public": 1, "adversary": "Boggy Serpens", "targeted_countries": [ "Egypt", "Hungary", "Israel", "Saudi Arabia", "Turkmenistan" ], "malware_families": [ { "id": "GhostBackDoor", "display_name": "GhostBackDoor", "target": null }, { "id": "BlackBeard", "display_name": "BlackBeard", "target": null }, { "id": "UDPGangster", "display_name": "UDPGangster", "target": null }, { "id": "LampoRAT", "display_name": "LampoRAT", "target": null }, { "id": "Nuso", "display_name": "Nuso", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Energy", "Government", "Defense", "Telecommunications", "Finance" ], "TLP": "white", "cloned_from": "69b91b4202446dd5143da7c3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 31, "domain": 7, "hostname": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bba3d4b603d5d60b7ed018", "name": "IOC - Boggy Serpens Threat Assessment", "description": "", "modified": "2026-04-16T09:05:11.431000", "created": "2026-03-19T07:20:52.530000", "tags": [ "maritime", "nuso", "lamporat", "ai-enhanced malware", "trusted relationship compromise", "energy", "iranian", "cyberespionage", "udpgangster", "critical infrastructure", "blackbeard", "phoenix", "ghostbackdoor", "social engineering" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/03/Boggy-Serpens.png", "https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/" ], "public": 1, "adversary": "Boggy Serpens", "targeted_countries": [ "Egypt", "Hungary", "Israel", "Saudi Arabia", "Turkmenistan" ], "malware_families": [ { "id": "GhostBackDoor", "display_name": "GhostBackDoor", "target": null }, { "id": "BlackBeard", "display_name": "BlackBeard", "target": null }, { "id": "UDPGangster", "display_name": "UDPGangster", "target": null }, { "id": "LampoRAT", "display_name": "LampoRAT", "target": null }, { "id": "Nuso", "display_name": "Nuso", "target": null }, { "id": "Phoenix", "display_name": "Phoenix", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Energy", "Government", "Defense", "Telecommunications", "Finance" ], "TLP": "white", "cloned_from": "69b91b4202446dd5143da7c3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 31, "domain": 7, "hostname": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a04928b5f1c2b7aa532d23", "name": "EbeeFeb2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:22:48.398000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "MuddyWater, Diesel Vortex, Delivering DEERSTEALER Infostealer, Nefilim Ransomware, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 188, "FileHash-SHA1": 106, "FileHash-SHA256": 198, "URL": 38, "domain": 161, "email": 3, "hostname": 222 }, "indicator_count": 916, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699d3e4be785424957c28c27", "name": "Chronology of MuddyWater APT Attacks Targeting the Middle East", "description": "", "modified": "2026-03-25T09:11:53.032000", "created": "2026-02-24T05:59:39.647000", "tags": [ "anydesk", "edr", "middle east", "syncro", "apt", "spear-phishing", "intelligence gathering", "teamviewer", "screenconnect", "initial access", "remote management tools", "atera", "splashtop", "rust-based malware" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/muddywater-apt?hs_amp=true" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "Egypt", "Iraq", "Israel", "Jordan", "Malaysia", "Oman", "Turkmenistan" ], "malware_families": [ { "id": "Syncro", "display_name": "Syncro", "target": null }, { "id": "Atera", "display_name": "Atera", "target": null }, { "id": "Splashtop", "display_name": "Splashtop", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "TeamViewer", "display_name": "TeamViewer", "target": null }, { "id": "ScreenConnect", "display_name": "ScreenConnect", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Government", "Telecommunications", "Education", "Finance", "Energy", "Technology" ], "TLP": "white", "cloned_from": "699c1f410e4279a65c5a7b06", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "domain": 2 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69646d650eea3ed54c6fc2df", "name": "IOC - Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant", "description": "CloudSEK's TRIAD recently identified a spear-phishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver \"RustyWater,\" a Rust-based implant representing a significant upgrade to their traditional toolkit", "modified": "2026-02-11T03:03:40.137000", "created": "2026-01-12T03:41:25.243000", "tags": [ "sha256 hash", "resolution", "email sha256", "hash" ], "references": [ "https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 10, "domain": 2 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6961d586e7dc3f6364fe6e91", "name": "MuddyWater Deploys Rust-Based Implants in Middle East Spearphishing Campaign", "description": "", "modified": "2026-02-09T04:04:57.573000", "created": "2026-01-10T04:28:54.582000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 1 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "stratioai.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "stratioai.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780227154.6601958 }