{ "type": "Domain", "indicator": "subprocess.run", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/subprocess.run", "alexa": "http://www.alexa.com/siteinfo/subprocess.run", "indicator": "subprocess.run", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3825896857, "indicator": "subprocess.run", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "6a0bcc87bf7fcf9813645bc7", "name": "Auto bugs static energy", "description": "Automotive bugs", "modified": "2026-05-19T02:35:49.008000", "created": "2026-05-19T02:35:49.008000", "tags": [ "import", "release", "autoversion", "buildflags" ], "references": [ "auto_firmware_version.py" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tesla1937", "id": "361485", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0238e9e126961cfc2914f1", "name": "Mini Shai-Hulud: A Cross-Ecosystem Supply Chain Attack on PyTorch Lightning & Intercom Client", "description": "The Mini Shai-Hulud campaign, launched in April 2026, represents a notable evolution in cyber threats through a cross-ecosystem supply chain attack targeting widely utilized packages within Python, Node.js, and PHP ecosystems. Unlike traditional supply chain attacks that exploit software vulnerabilities, this campaign compromised trusted packages by abusing maintainer credentials and CI/CD tokens. Attackers gained unauthorized access to trusted accounts, allowing them to release malicious versions of packages such as PyTorch Lightning and intercom-client without raising immediate suspicion.", "modified": "2026-05-11T20:15:37.905000", "created": "2026-05-11T20:15:37.905000", "tags": [ "github", "cicd", "lightning", "github actions", "april", "mini shaihulud", "pypi", "python", "security", "cloud", "mini", "execution", "logic", "exfiltration", "persistence", "brain", "local", "sensitive", "service", "internal", "silent" ], "references": [ "https://www.resecurity.com/blog/article/mini-shai-hulud-a-cross-ecosystem-supply-chain-attack-on-pytorch-lightning-intercom-client" ], "public": 1, "adversary": "Mini_shai-hulud", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "IPv4": 1, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ce83659fb527eb96c998a2", "name": "Malicious Axios Packages Published to npm in New Supply Chain Compromise", "description": "A recent supply chain compromise has been identified affecting the widely utilized JavaScript HTTP client axios, wherein malicious versions of the package were published to npm using compromised maintainer credentials. The exploitation involves the deployment of a Remote Access Trojan (RAT) through a fabricated dependency labeled plain-crypto-js@4.2.1. Notably, this dependency is not directly imported by axios, functioning instead as a dropper that executes a postinstall script upon installation.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-02T14:55:33.872000", "tags": [ "truesec", "post body", "temp", "cicd", "rotate npm", "monitor", "npm supplychain", "risk detection", "urls", "network", "remote access" ], "references": [ "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://socket.dev/blog/axios-npm-package-compromised", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 58, "FileHash-SHA1": 62, "FileHash-SHA256": 60, "URL": 28, "domain": 19, "email": 5, "hostname": 10, "CIDR": 2, "CVE": 2 }, "indicator_count": 246, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5a4859361602b172249c", "name": "ColorMap PNG", "description": "d76f5631d55f301608ca14b38d282e02\n810afcebb23642b681d151a81fdcca3fcc43f96a\n04d05978fdb111358073ab0524e5c1fafc0826615c206987618416b8bd8a4747\n48:4othnooOT1/qVbqdGIVp4NWjORVFQ55AsybKpGbDtzD1thJYERaSuXWB6:dn584VbqdTp4jZvsybKYb1lJYEa\nT135514DC4AB7C051C705B439F78E195F6656C46931E88CF4AA4548EF35617372C0A7860\nPNG \nmultimedia\nimage\npng\nPNG image data, 1233 x 100, 4-bit colormap, non-interlaced\nPortable Network Graphics (100%)", "modified": "2026-05-01T08:03:52.918000", "created": "2026-03-31T23:35:36.259000", "tags": [ "png image", "graphics" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 567, "FileHash-MD5": 27, "FileHash-SHA1": 21, "domain": 24, "hostname": 30, "URL": 59, "CIDR": 1 }, "indicator_count": 729, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cbc674b257616b45f5a857", "name": "Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK - Hexastrike Cybersecurity", "description": "", "modified": "2026-04-30T13:11:24.721000", "created": "2026-03-31T13:04:52.869000", "tags": [ "teampcp", "litellm", "python", "pypi", "kubernetes", "trivy", "checkmarx", "telnyx", "windows", "stage", "vect", "harvester", "dash", "teamtnt", "stop", "hunt", "loader", "service" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 23, "URL": 8, "domain": 4, "hostname": 3 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f340e7ac96bd9048e229b4", "name": "TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package", "description": "On April 22, 2026, versions 2.6.0, 2.6.1, and 2.6.2 of the xinference open-source package on PyPI were found to include a two-stage credential-stealing payload. This payload is embedded in the xinference/__init__.py file, which automatically executes upon the import of the package. Once triggered, it decodes a second-stage collector that captures sensitive information including SSH keys, cloud credentials, environment variables, and cryptocurrency wallet details. This data is subsequently exfiltrated as a tar.gz file named love.tar.gz to the command and control (C2) server at http://whereisitat.lucyatemysuperbox.space using a curl POST request. The integrity of these compromised versions was compromised enough to prompt their immediate removal from PyPI.", "modified": "2026-04-30T11:45:43.797000", "created": "2026-04-30T11:45:43.797000", "tags": [ "hardenrunner", "post", "teampcp", "pypi", "python", "stepsecurity", "march", "payloadthe", "cli invocation", "service startup", "install", "april", "bitcoin" ], "references": [ "https://www.stepsecurity.io/blog/teampcp-injects-two-stage-credential-stealer-into-xinference-pypi-package" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 2, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6879dd55ff5c42ce04a8f4ba", "name": "MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities", "description": "", "modified": "2025-08-16T14:00:26.166000", "created": "2025-07-18T05:36:21.950000", "tags": [ "github", "downloader", "redline", "amadey", "obfuscation", "lumma", "asyncrat", "smokeloader", "maas", "phishing", "emmenhtal", "ukraine", "rhadamanthys" ], "references": [ "https://blog.talosintelligence.com/maas-operation-using-emmenhtal-and-amadey-linked-to-threats-against-ukrainian-entities/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Emmenhtal", "display_name": "Emmenhtal", "target": null }, { "id": "Amadey - S1025", "display_name": "Amadey - S1025", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Critical Infrastructure" ], "TLP": "white", "cloned_from": "68790fe97662f2c9f411e128", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68186afc93f8581774f808b2", "name": "Rolling in the Deep(Web): Lazarus Tsunami | HiSolutions Research", "description": "", "modified": "2025-06-04T07:03:28.153000", "created": "2025-05-05T07:38:36.690000", "tags": [ "username", "edge webengine", "xorkey", "contagious", "interview", "campaign", "malware", "threat actor", "framework", "appdata", "trigger", "installer", "resourceloader", "meta", "powershell", "defender" ], "references": [ "https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 12, "URL": 2, "domain": 2, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "361 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681b5b3029c7afc1dafe56c7", "name": "Malicious PyPI Package Targets Discord Developers with Remot...", "description": "A security researcher has uncovered a sophisticated backdoor that could have compromised the systems of thousands of developers working on the popular chat app, Discord, and other third-party services. and the public..", "modified": "2025-05-07T13:08:00.566000", "created": "2025-05-07T13:08:00.566000", "tags": [ "discord", "python package", "post request", "march", "discordpydebug", "index", "pypi", "discord py", "pypi doesn", "public", "loop", "python", "execution", "compromise", "iocs", "c2 domain", "associated ip" ], "references": [ "https://socket.dev/blog/malicious-pypi-package-targets-discord-developers-with-RAT" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 2, "hostname": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "389 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bc4f8da0112f0ccf560202", "name": "Fake GitHub projects distribute stealers in GitVenom campaign | Securelist", "description": "", "modified": "2025-02-24T10:53:01.333000", "created": "2025-02-24T10:53:01.333000", "tags": [ "backdoor", "github", "gitvenom", "javascript", "malware", "malware descriptions", "malware technologies", "open source", "python", "rat", "trojan", "trojan-stealer", "fernet", "python script", "cryptography", "internet", "instagram", "telegram bot", "bitcoin", "download" ], "references": [ "https://securelist.com/gitvenom-campaign/115694/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "461 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bc4309facd871861e67502", "name": "Fake GitHub projects distribute stealers in GitVenom campaign | Securelist", "description": "In our series of letters from leading security experts, Kaspersky explains how the open-source code community has become a target for cybercriminals and the threat actors behind the so-called GitVenom campaign.", "modified": "2025-02-24T09:59:37.924000", "created": "2025-02-24T09:59:37.924000", "tags": [ "backdoor", "github", "gitvenom", "javascript", "malware", "malware descriptions", "malware technologies", "open source", "python", "rat", "trojan", "trojan-stealer", "fernet", "python script", "cryptography", "internet", "instagram", "telegram bot", "bitcoin", "download", "careto", "node.js", "cookieplus" ], "references": [ "https://securelist.com/gitvenom-campaign/115694/" ], "public": 1, "adversary": "Careto", "targeted_countries": [ "Russian Federation", "Brazil", "T\u00fcrkiye" ], "malware_families": [ { "id": "Node.js", "display_name": "Node.js", "target": null }, { "id": "GitVenom", "display_name": "GitVenom", "target": null }, { "id": "CookiePlus", "display_name": "CookiePlus", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "461 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672ddf5df3fd8427fc95d742", "name": "Steam Account Checker Poisoned with Infostealer - SANS Internet Storm Center", "description": "A malicious script targeting Steam users has been discovered by a security researcher in the United States, but how do you spot it and what can you do about it if you are a member of the gaming platform?", "modified": "2024-11-08T09:52:29.616000", "created": "2024-11-08T09:52:29.616000", "tags": [ "fernet", "steam", "appdata", "github", "python", "cloudflare", "python ua", "fernet content", "fernet exec", "fernet module", "exodus", "win64" ], "references": [ "https://isc.sans.edu/diary/rss/31420" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "URL": 17, "hostname": 2 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "569 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6652ab47625ee4cf5c7c9133", "name": "Foxit PDF \u201cFlawed Design\u201d Exploitation - Check Point Research", "description": "", "modified": "2024-06-25T03:01:55.092000", "created": "2024-05-26T03:23:51.939000", "tags": [ "code", "check point", "python", "research", "aptc35", "donot team", "vbscript", "createobject", "pdf file", "foxit reader", "powershell", "fuckcrypt", "facebook", "shellcode", "downloader", "april", "first", "remcos", "body", "virustotal", "february", "korean", "launch", "uploader", "open", "comment", "nanocore rat", "android", "rafel rat", "sliver", "cobalt strike", "loader", "john", "julia", "uacbypass", "bypass", "discord", "null", "dcom", "template", "generic", "exploit", "protect", "path", "screen" ], "references": [ "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "text_account", "id": "221593", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "FileHash-MD5": 27, "FileHash-SHA1": 26, "FileHash-SHA256": 39, "YARA": 3, "domain": 6, "hostname": 3 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "705 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664d2d8a4b164cda98ac3bbd", "name": "Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal", "description": "Multiple threat actors are exploiting a flaw in Foxit PDF Reader, deploying various malware like Agent Tesla, AsyncRAT, and Remcos RAT. Unlike Adobe Acrobat Reader, Foxit's vulnerability leads to a low detection rate, as it defaults to \"OK\" in security warnings, making users prone to executing harmful commands.", "modified": "2024-06-20T23:02:03.274000", "created": "2024-05-21T23:26:02.058000", "tags": [ "code", "check point", "python", "research", "aptc35", "donot team", "vbscript", "createobject", "pdf file", "foxit reader", "powershell", "fuckcrypt", "facebook", "shellcode", "downloader", "first", "remcos", "body", "virustotal", "february", "launch", "uploader", "open", "comment", "nanocore rat", "android", "rafel rat", "sliver", "cobalt strike", "loader", "john", "julia", "uacbypass", "bypass", "discord", "null", "dcom", "template", "generic", "exploit" ], "references": [ "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "FileHash-MD5": 27, "FileHash-SHA1": 26, "FileHash-SHA256": 39, "YARA": 3, "domain": 6, "hostname": 3 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 215, "modified_text": "709 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66447258c33a5f25aa4c788f", "name": "Foxit PDF \u201cFlawed Design\u201d Exploitation - Check Point Research", "description": "", "modified": "2024-06-14T08:05:17.527000", "created": "2024-05-15T08:29:12.510000", "tags": [ "code", "check point", "python", "research", "aptc35", "donot team", "vbscript", "createobject", "pdf file", "foxit reader", "powershell", "fuckcrypt", "facebook", "shellcode", "downloader", "april", "first", "remcos", "body", "virustotal", "february", "korean", "launch", "uploader", "open", "comment", "nanocore rat", "android", "rafel rat", "sliver", "cobalt strike", "loader", "john", "julia", "uacbypass", "bypass", "discord", "null", "dcom", "template", "generic", "exploit", "protect", "path", "screen" ], "references": [ "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23, "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 39, "YARA": 3, "domain": 6, "hostname": 3 }, "indicator_count": 125, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "716 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660bfb75e35090db1bd21e07", "name": "Typosquatting Campaign Targets Python Developers", "description": "As part of Phylum\u2019s annual security review, we take a look at the latest typosquat attacks targeting Python developers and how they might be used to target their own code.", "modified": "2024-04-02T12:35:01.061000", "created": "2024-04-02T12:35:01.061000", "tags": [ "research", "pypi", "march", "python", "phylum", "pytorch", "backgroundfirst", "insanepackage", "insane", "publication", "beautifulsoup26", "virustotal", "typosquatting", "zgrat" ], "references": [ "https://blog.phylum.io/typosquatting-campaign-targets-python-developers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Typosquatting", "display_name": "Typosquatting", "target": null }, { "id": "zgRAT", "display_name": "zgRAT", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 4, "email": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "789 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aa6a2e7131d96ee789b405", "name": "macOS Python Script Replacing Wallet Applications with Rogue Apps - SANS Internet Storm Center", "description": "Apple and its macOS operating system are one of the world's most popular operating systems, but they are also a target for cyber-thieves, who target the software and the people who use them.", "modified": "2024-01-19T12:25:18.266000", "created": "2024-01-19T12:25:18.266000", "tags": [ "exodus", "bitcoinqt", "convert", "c2 server", "apple script", "apple", "python script", "bitcoin core", "remove", "appname", "python" ], "references": [ "https://isc.sans.edu/diary/rss/30572" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "FileHash-SHA256": 3, "URL": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "863 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "manpaths", "apfs_boot_mount.tbd", "custom-error.html", "generic", "systemControls.csv", "https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/", "https://socket.dev/blog/malicious-pypi-package-targets-discord-developers-with-RAT", "csh.login", "crashes.csv", "mounts.csv", "afpovertcp.cfg", "bashrc", "x86_64-apple-macos.swiftinterface", "nfs.conf", "main.cf", "header_checks", "sharedFolders.csv", "master.cf.default", "access", "csh.logout", "module.modulemap", "AirPlayReceiver.tbd", "managedPolicies.csv", "lber.h", "mail.rc", "MCAdvertiserAssistant.h", "sipConfig.csv", "bounce.cf.default", "kern_loader.conf", "asl.conf", "shells", "smb.conf", "sudo_lecture", "certificates.csv", "https://www.stepsecurity.io/blog/teampcp-injects-two-stage-credential-stealer-into-xinference-pypi-package", "zshrc", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/", "rmtab", "mounts.txt", "Driver_xst.h", "users.csv", "transport", "main.cf.default", "MCError.h", "launchagents.txt", "paths", "irbrc", "MCNearbyServiceBrowser.h", "process_list.txt", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "profile", "MultipeerConnectivity.h", "etcHosts.csv", "kexts.txt", "ntp.conf", "makedefs.out", "caching.html", "pf.os", "launchdaemons.txt", "https://www.resecurity.com/blog/article/mini-shai-hulud-a-cross-ecosystem-supply-chain-attack-on-pytorch-lightning-intercom-client", "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk/", "ldap.h", "autofs.conf", "convenience.map", "arm64e-apple-ios-macabi.swiftinterface", "group", "AppleFirmwareUpdate.tbd", "MCSession.h", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://isc.sans.edu/diary/rss/30572", "security_status.txt", "arm64e-apple-macos.swiftinterface", "user_launchagents.txt", "csh.cshrc", "pf.conf", "xtab", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "usbDevices.csv", "TLS_LICENSE", "dbd_xsh.h", "find.codes", "postfix-files", "ftpusers", "rc.netboot", "rc.common", "bind.html", "custom_header_checks", "locate.rc", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "gettytab", "MultipeerConnectivity.tbd", "https://isc.sans.edu/diary/rss/31420", "virtual", "notify.conf", "version.plist", "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise", "launchD.csv", "x86_64-apple-ios-macabi.swiftinterface", "rtadvd.conf", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "syslog.conf", "Info.plist", "dbivport.h", "Admin.tbd", "command_args.json", "canonical", "LDAP.tbd", "dbi_sql.h", "chromeExtensions.csv", "com.apple.screensharing.agent.launchd", "master.cf", "CodeResources", "systemInfo.csv", "content-negotiation.html", "configuring.html", "APConfigurationSystem.tbd", "index.html.en", "https://blog.phylum.io/typosquatting-campaign-targets-python-developers/", "AOSKit.tbd", "https://socket.dev/blog/axios-npm-package-compromised", "protocols", "preboot_archive_errors.log", "zshrc_Apple_Terminal", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "LocalAuthentication.tbd", "kernel.csv", "rpc", "ttys", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "MCBrowserViewController.h", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "auto_home", "aliases", "passwd", "zprofile", "diskEncryption.csv", "auto_master", "MCPeerID.h", "ntp_opendirectory.conf", "auto_firmware_version.py", "MCNearbyServiceAdvertiser.h", "bashrc_Apple_Terminal", "dbixs_rev.h", "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "hook_op_check.h", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "battery.csv", "main.cf.proto", "DBIXS.h", "newsyslog.conf", "interfaceAddrs.csv", "sharingPreferences.csv", "interfaceDetails.csv", "LICENSE", "https://securelist.com/gitvenom-campaign/115694/", "applications.csv", "relocated", "sudoers", "master.cf.proto", "BUILDING", "disk_structure.txt", "man.conf", "networks", "resolv.conf", "https://blog.talosintelligence.com/maas-operation-using-emmenhtal-and-amadey-linked-to-threats-against-ukrainian-entities/", "MultipeerConnectivity.apinotes" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Careto", "Mini_shai-hulud", "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Amadey - s1025", "Redline", "Lumma", "Node.js", "Cookieplus", "Zgrat", "Firstname", "Typosquatting", "Asyncrat", "Lastname", "Rhadamanthys", "Gitvenom", "Smokeloader", "Emmenhtal" ], "industries": [ "Critical infrastructure", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "6a0bcc87bf7fcf9813645bc7", "name": "Auto bugs static energy", "description": "Automotive bugs", "modified": "2026-05-19T02:35:49.008000", "created": "2026-05-19T02:35:49.008000", "tags": [ "import", "release", "autoversion", "buildflags" ], "references": [ "auto_firmware_version.py" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tesla1937", "id": "361485", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0238e9e126961cfc2914f1", "name": "Mini Shai-Hulud: A Cross-Ecosystem Supply Chain Attack on PyTorch Lightning & Intercom Client", "description": "The Mini Shai-Hulud campaign, launched in April 2026, represents a notable evolution in cyber threats through a cross-ecosystem supply chain attack targeting widely utilized packages within Python, Node.js, and PHP ecosystems. Unlike traditional supply chain attacks that exploit software vulnerabilities, this campaign compromised trusted packages by abusing maintainer credentials and CI/CD tokens. Attackers gained unauthorized access to trusted accounts, allowing them to release malicious versions of packages such as PyTorch Lightning and intercom-client without raising immediate suspicion.", "modified": "2026-05-11T20:15:37.905000", "created": "2026-05-11T20:15:37.905000", "tags": [ "github", "cicd", "lightning", "github actions", "april", "mini shaihulud", "pypi", "python", "security", "cloud", "mini", "execution", "logic", "exfiltration", "persistence", "brain", "local", "sensitive", "service", "internal", "silent" ], "references": [ "https://www.resecurity.com/blog/article/mini-shai-hulud-a-cross-ecosystem-supply-chain-attack-on-pytorch-lightning-intercom-client" ], "public": 1, "adversary": "Mini_shai-hulud", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "IPv4": 1, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ce83659fb527eb96c998a2", "name": "Malicious Axios Packages Published to npm in New Supply Chain Compromise", "description": "A recent supply chain compromise has been identified affecting the widely utilized JavaScript HTTP client axios, wherein malicious versions of the package were published to npm using compromised maintainer credentials. The exploitation involves the deployment of a Remote Access Trojan (RAT) through a fabricated dependency labeled plain-crypto-js@4.2.1. Notably, this dependency is not directly imported by axios, functioning instead as a dropper that executes a postinstall script upon installation.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-02T14:55:33.872000", "tags": [ "truesec", "post body", "temp", "cicd", "rotate npm", "monitor", "npm supplychain", "risk detection", "urls", "network", "remote access" ], "references": [ "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://socket.dev/blog/axios-npm-package-compromised", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 58, "FileHash-SHA1": 62, "FileHash-SHA256": 60, "URL": 28, "domain": 19, "email": 5, "hostname": 10, "CIDR": 2, "CVE": 2 }, "indicator_count": 246, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5a4859361602b172249c", "name": "ColorMap PNG", "description": "d76f5631d55f301608ca14b38d282e02\n810afcebb23642b681d151a81fdcca3fcc43f96a\n04d05978fdb111358073ab0524e5c1fafc0826615c206987618416b8bd8a4747\n48:4othnooOT1/qVbqdGIVp4NWjORVFQ55AsybKpGbDtzD1thJYERaSuXWB6:dn584VbqdTp4jZvsybKYb1lJYEa\nT135514DC4AB7C051C705B439F78E195F6656C46931E88CF4AA4548EF35617372C0A7860\nPNG \nmultimedia\nimage\npng\nPNG image data, 1233 x 100, 4-bit colormap, non-interlaced\nPortable Network Graphics (100%)", "modified": "2026-05-01T08:03:52.918000", "created": "2026-03-31T23:35:36.259000", "tags": [ "png image", "graphics" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 567, "FileHash-MD5": 27, "FileHash-SHA1": 21, "domain": 24, "hostname": 30, "URL": 59, "CIDR": 1 }, "indicator_count": 729, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cbc674b257616b45f5a857", "name": "Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK - Hexastrike Cybersecurity", "description": "", "modified": "2026-04-30T13:11:24.721000", "created": "2026-03-31T13:04:52.869000", "tags": [ "teampcp", "litellm", "python", "pypi", "kubernetes", "trivy", "checkmarx", "telnyx", "windows", "stage", "vect", "harvester", "dash", "teamtnt", "stop", "hunt", "loader", "service" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 23, "URL": 8, "domain": 4, "hostname": 3 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f340e7ac96bd9048e229b4", "name": "TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package", "description": "On April 22, 2026, versions 2.6.0, 2.6.1, and 2.6.2 of the xinference open-source package on PyPI were found to include a two-stage credential-stealing payload. This payload is embedded in the xinference/__init__.py file, which automatically executes upon the import of the package. Once triggered, it decodes a second-stage collector that captures sensitive information including SSH keys, cloud credentials, environment variables, and cryptocurrency wallet details. This data is subsequently exfiltrated as a tar.gz file named love.tar.gz to the command and control (C2) server at http://whereisitat.lucyatemysuperbox.space using a curl POST request. The integrity of these compromised versions was compromised enough to prompt their immediate removal from PyPI.", "modified": "2026-04-30T11:45:43.797000", "created": "2026-04-30T11:45:43.797000", "tags": [ "hardenrunner", "post", "teampcp", "pypi", "python", "stepsecurity", "march", "payloadthe", "cli invocation", "service startup", "install", "april", "bitcoin" ], "references": [ "https://www.stepsecurity.io/blog/teampcp-injects-two-stage-credential-stealer-into-xinference-pypi-package" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 2, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6879dd55ff5c42ce04a8f4ba", "name": "MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities", "description": "", "modified": "2025-08-16T14:00:26.166000", "created": "2025-07-18T05:36:21.950000", "tags": [ "github", "downloader", "redline", "amadey", "obfuscation", "lumma", "asyncrat", "smokeloader", "maas", "phishing", "emmenhtal", "ukraine", "rhadamanthys" ], "references": [ "https://blog.talosintelligence.com/maas-operation-using-emmenhtal-and-amadey-linked-to-threats-against-ukrainian-entities/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Emmenhtal", "display_name": "Emmenhtal", "target": null }, { "id": "Amadey - S1025", "display_name": "Amadey - S1025", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Critical Infrastructure" ], "TLP": "white", "cloned_from": "68790fe97662f2c9f411e128", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68186afc93f8581774f808b2", "name": "Rolling in the Deep(Web): Lazarus Tsunami | HiSolutions Research", "description": "", "modified": "2025-06-04T07:03:28.153000", "created": "2025-05-05T07:38:36.690000", "tags": [ "username", "edge webengine", "xorkey", "contagious", "interview", "campaign", "malware", "threat actor", "framework", "appdata", "trigger", "installer", "resourceloader", "meta", "powershell", "defender" ], "references": [ "https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 12, "URL": 2, "domain": 2, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "361 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681b5b3029c7afc1dafe56c7", "name": "Malicious PyPI Package Targets Discord Developers with Remot...", "description": "A security researcher has uncovered a sophisticated backdoor that could have compromised the systems of thousands of developers working on the popular chat app, Discord, and other third-party services. and the public..", "modified": "2025-05-07T13:08:00.566000", "created": "2025-05-07T13:08:00.566000", "tags": [ "discord", "python package", "post request", "march", "discordpydebug", "index", "pypi", "discord py", "pypi doesn", "public", "loop", "python", "execution", "compromise", "iocs", "c2 domain", "associated ip" ], "references": [ "https://socket.dev/blog/malicious-pypi-package-targets-discord-developers-with-RAT" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 2, "hostname": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "389 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "subprocess.run", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "subprocess.run", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780234512.2279875 }