{ "type": "Domain", "indicator": "suggestutterly.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/suggestutterly.com", "alexa": "http://www.alexa.com/siteinfo/suggestutterly.com", "indicator": "suggestutterly.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4115834594, "indicator": "suggestutterly.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "693033c9fa9650a8f9c630c7", "name": "Candiru and the Global Spread of DevilsTongue Spyware", "description": "The following is a full list of comments and comments on the internet by some of the most prominent figures in the world's \"notionnowadays\" - or, in fact, the \"nonsense\".", "modified": "2026-01-02T12:05:38.986000", "created": "2025-12-03T12:57:45.681000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 107 }, "indicator_count": 110, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a49e7093b6732ce5d4b0f4", "name": "Tracking Candirus DevilsTongue Spyware in Multiple Countries.", "description": "Insikt Group reported discovery of new infrastructure associated with eight Candiru-linked clusters, specifically infrastructure used to deploy and control the DevilsTongue spyware as well as higher-tier operator infrastructure. The finding indicates active expansion or maintenance of a multi-cluster operational footprint that separates initial delivery/deployment mechanisms from command-and-control and operator management layers.", "modified": "2025-09-18T15:08:31.171000", "created": "2025-08-19T15:55:28.509000", "tags": [], "references": [ "https://assets.recordedfuture.com/content/dam/insikt-report-pdfs/2025/cta-2025-0805.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 110, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "258 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6865117ef69a048ce6a4d04e", "name": "Israel APT actors", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-07-02T11:01:18.401000", "tags": [], "references": [ "APT-Israel.pdf" ], "public": 1, "adversary": "Caramel Tsunami, Candiru, Gonjeshke Darande, Predatory Sparrow, Phlox Tempest, Carmine Tsunami, DEEV", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 34, "FileHash-SHA256": 34, "URL": 3, "domain": 405 }, "indicator_count": 510, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a3d0b77129dea69212cb0c", "name": "IOC Blocking", "description": "", "modified": "2025-08-19T01:17:43.771000", "created": "2025-08-19T01:17:43.771000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 38 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "288 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a3474f3c46cb044afa75ac", "name": "qwett", "description": "", "modified": "2025-08-18T15:31:27.657000", "created": "2025-08-18T15:31:27.657000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 38 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "289 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68949161daedb3aa6f13c96a", "name": "BYOVD Attack in Brazil Exploits AV Killer", "description": "\"The use of AV killers like this can severely compromise an organization\u2019s security posture by\ndisabling endpoint protection, allowing ransomware and other malware to spread unchecked. It\ncan lead to widespread data encryption, operational disruption, financial loss, and potential\ndata breaches. The attack also undermines trust in existing security controls and exposes\nweaknesses in access and patch management practices.\"", "modified": "2025-08-07T11:43:29.493000", "created": "2025-08-07T11:43:29.493000", "tags": [], "references": [ "Cyber Threat Advisory - BYOVD Attack in Brazil Exploits AV Killer.pdf" ], "public": 1, "adversary": "TI Advisory No-ESAF-SOC-TI-150", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "URL": 2, "hostname": 1, "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 7, "FileHash-SHA256": 7 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "300 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68948e41414c94f414368af4", "name": "Candiru Spyware Continues Global Operations", "description": "\"The presence of spyware like DevilsTongue poses a serious threat to organizations by enabling\nunauthorized access to sensitive data, intellectual property, and internal communications. It can\nlead to reputational damage, legal liabilities, and financial loss. Targeted attacks may also\ncompromise executive leadership, disrupt operations, and erode trust among stakeholders and\npartners.\"", "modified": "2025-08-07T11:30:09.184000", "created": "2025-08-07T11:30:09.184000", "tags": [], "references": [ "Cyber Threat Advisory - Candiru Spyware Continues Global Operations.pdf" ], "public": 1, "adversary": "TI Advisory No-ESAF-SOC-TI-149", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 11 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "300 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Cyber Threat Advisory - BYOVD Attack in Brazil Exploits AV Killer.pdf", "Cyber Threat Advisory - Candiru Spyware Continues Global Operations.pdf", "https://assets.recordedfuture.com/content/dam/insikt-report-pdfs/2025/cta-2025-0805.pdf", "APT-Israel.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "TI Advisory No-ESAF-SOC-TI-150", "TI Advisory No-ESAF-SOC-TI-149", "Caramel Tsunami, Candiru, Gonjeshke Darande, Predatory Sparrow, Phlox Tempest, Carmine Tsunami, DEEV" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "693033c9fa9650a8f9c630c7", "name": "Candiru and the Global Spread of DevilsTongue Spyware", "description": "The following is a full list of comments and comments on the internet by some of the most prominent figures in the world's \"notionnowadays\" - or, in fact, the \"nonsense\".", "modified": "2026-01-02T12:05:38.986000", "created": "2025-12-03T12:57:45.681000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 107 }, "indicator_count": 110, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a49e7093b6732ce5d4b0f4", "name": "Tracking Candirus DevilsTongue Spyware in Multiple Countries.", "description": "Insikt Group reported discovery of new infrastructure associated with eight Candiru-linked clusters, specifically infrastructure used to deploy and control the DevilsTongue spyware as well as higher-tier operator infrastructure. The finding indicates active expansion or maintenance of a multi-cluster operational footprint that separates initial delivery/deployment mechanisms from command-and-control and operator management layers.", "modified": "2025-09-18T15:08:31.171000", "created": "2025-08-19T15:55:28.509000", "tags": [], "references": [ "https://assets.recordedfuture.com/content/dam/insikt-report-pdfs/2025/cta-2025-0805.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 110, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "258 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6865117ef69a048ce6a4d04e", "name": "Israel APT actors", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-07-02T11:01:18.401000", "tags": [], "references": [ "APT-Israel.pdf" ], "public": 1, "adversary": "Caramel Tsunami, Candiru, Gonjeshke Darande, Predatory Sparrow, Phlox Tempest, Carmine Tsunami, DEEV", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 34, "FileHash-SHA256": 34, "URL": 3, "domain": 405 }, "indicator_count": 510, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a3d0b77129dea69212cb0c", "name": "IOC Blocking", "description": "", "modified": "2025-08-19T01:17:43.771000", "created": "2025-08-19T01:17:43.771000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 38 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "288 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a3474f3c46cb044afa75ac", "name": "qwett", "description": "", "modified": "2025-08-18T15:31:27.657000", "created": "2025-08-18T15:31:27.657000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 38 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "289 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68949161daedb3aa6f13c96a", "name": "BYOVD Attack in Brazil Exploits AV Killer", "description": "\"The use of AV killers like this can severely compromise an organization\u2019s security posture by\ndisabling endpoint protection, allowing ransomware and other malware to spread unchecked. It\ncan lead to widespread data encryption, operational disruption, financial loss, and potential\ndata breaches. The attack also undermines trust in existing security controls and exposes\nweaknesses in access and patch management practices.\"", "modified": "2025-08-07T11:43:29.493000", "created": "2025-08-07T11:43:29.493000", "tags": [], "references": [ "Cyber Threat Advisory - BYOVD Attack in Brazil Exploits AV Killer.pdf" ], "public": 1, "adversary": "TI Advisory No-ESAF-SOC-TI-150", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "URL": 2, "hostname": 1, "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 7, "FileHash-SHA256": 7 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "300 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68948e41414c94f414368af4", "name": "Candiru Spyware Continues Global Operations", "description": "\"The presence of spyware like DevilsTongue poses a serious threat to organizations by enabling\nunauthorized access to sensitive data, intellectual property, and internal communications. It can\nlead to reputational damage, legal liabilities, and financial loss. Targeted attacks may also\ncompromise executive leadership, disrupt operations, and erode trust among stakeholders and\npartners.\"", "modified": "2025-08-07T11:30:09.184000", "created": "2025-08-07T11:30:09.184000", "tags": [], "references": [ "Cyber Threat Advisory - Candiru Spyware Continues Global Operations.pdf" ], "public": 1, "adversary": "TI Advisory No-ESAF-SOC-TI-149", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 11 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "300 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "suggestutterly.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "suggestutterly.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780524402.019308 }