{ "type": "Domain", "indicator": "support-decryptor.hk", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/support-decryptor.hk", "alexa": "http://www.alexa.com/siteinfo/support-decryptor.hk", "indicator": "support-decryptor.hk", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4140346640, "indicator": "support-decryptor.hk", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f7797d8fe4b690b2f929e1", "name": "Resecurity | Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate", "description": "", "modified": "2025-11-20T12:03:22.671000", "created": "2025-10-21T12:15:57.085000", "tags": [ "qilin", "hong kong", "chang way", "russia", "limited", "asahi", "october", "bearhost", "bonham strand", "date", "hong", "maze", "april", "guardian", "underground", "exploit", "lockbit", "rust", "trinity", "chaos", "rover", "slovakia", "alexander", "bianlian", "service", "ransomware", "wikileaksv2", "twitter", "august", "freedom", "dragonforce", "malware", "amadey", "stealc", "prospero" ], "references": [ "https://www.resecurity.com/blog/article/qilin-ransomware-and-the-ghost-bulletproof-hosting-conglomerate" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "URL": 4, "domain": 5, "email": 8, "hostname": 7 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f1f48424d00f24935937e0", "name": "Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate.", "description": "The Qilin ransomware group, which operates as a Ransomware-as-a-Service (RaaS), is noted for its sophisticated cyberattack methods and reliance on bulletproof hosting (BPH) infrastructures. Emerged in mid-2022 and initially branded as \"Agenda,\" the group achieved a significant reputation after claiming responsibility for a major ransomware attack on Japan\u2019s Asahi Group Holdings, which disrupted operations at their brewing facilities for nearly two weeks. Qilin is known for its malware variants developed in Golang and Rust, leveraging techniques such as spear phishing and exploiting Remote Monitoring and Management (RMM) tools to gain initial access to target systems.", "modified": "2025-11-16T07:01:18.160000", "created": "2025-10-17T07:47:16.654000", "tags": [ "qilin", "hong kong", "chang way", "russia", "limited", "asahi", "october", "bearhost", "bonham strand", "date", "hong", "maze", "april", "guardian", "underground", "exploit", "lockbit", "rust", "trinity", "chaos", "rover", "slovakia", "alexander", "bianlian", "service", "ransomware", "wikileaksv2", "august", "freedom", "dragonforce", "malware", "amadey", "stealc", "prospero", "domain server", "geolocation", "details", "ip address", "historic ip", "cloudflare inc", "as13335", "selectel", "as49505", "russia ooo", "hostway country", "email address", "russia title", "display name", "telegram", "bear31337", "admin", "seller", "bear host", "platform", "notes telegram", "na na", "notes whatsapp", "voodoo", "yandex na", "na facebook", "viewcaller name", "microsoft", "location", "apple na", "email", "breach dataset", "gp internet", "moscow", "petersburg main", "inactive", "igorevich", "november", "january", "unified state", "register", "legal", "march", "june" ], "references": [ "https://www.resecurity.com/blog/article/qilin-ransomware-and-the-ghost-bulletproof-hosting-conglomerate" ], "public": 1, "adversary": "Qilin", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "URL": 1, "domain": 6, "email": 8, "hostname": 9, "CIDR": 2 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "197 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Oct week.3.pdf", "https://www.resecurity.com/blog/article/qilin-ransomware-and-the-ghost-bulletproof-hosting-conglomerate" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "Qilin" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f7797d8fe4b690b2f929e1", "name": "Resecurity | Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate", "description": "", "modified": "2025-11-20T12:03:22.671000", "created": "2025-10-21T12:15:57.085000", "tags": [ "qilin", "hong kong", "chang way", "russia", "limited", "asahi", "october", "bearhost", "bonham strand", "date", "hong", "maze", "april", "guardian", "underground", "exploit", "lockbit", "rust", "trinity", "chaos", "rover", "slovakia", "alexander", "bianlian", "service", "ransomware", "wikileaksv2", "twitter", "august", "freedom", "dragonforce", "malware", "amadey", "stealc", "prospero" ], "references": [ "https://www.resecurity.com/blog/article/qilin-ransomware-and-the-ghost-bulletproof-hosting-conglomerate" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "URL": 4, "domain": 5, "email": 8, "hostname": 7 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f1f48424d00f24935937e0", "name": "Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate.", "description": "The Qilin ransomware group, which operates as a Ransomware-as-a-Service (RaaS), is noted for its sophisticated cyberattack methods and reliance on bulletproof hosting (BPH) infrastructures. Emerged in mid-2022 and initially branded as \"Agenda,\" the group achieved a significant reputation after claiming responsibility for a major ransomware attack on Japan\u2019s Asahi Group Holdings, which disrupted operations at their brewing facilities for nearly two weeks. Qilin is known for its malware variants developed in Golang and Rust, leveraging techniques such as spear phishing and exploiting Remote Monitoring and Management (RMM) tools to gain initial access to target systems.", "modified": "2025-11-16T07:01:18.160000", "created": "2025-10-17T07:47:16.654000", "tags": [ "qilin", "hong kong", "chang way", "russia", "limited", "asahi", "october", "bearhost", "bonham strand", "date", "hong", "maze", "april", "guardian", "underground", "exploit", "lockbit", "rust", "trinity", "chaos", "rover", "slovakia", "alexander", "bianlian", "service", "ransomware", "wikileaksv2", "august", "freedom", "dragonforce", "malware", "amadey", "stealc", "prospero", "domain server", "geolocation", "details", "ip address", "historic ip", "cloudflare inc", "as13335", "selectel", "as49505", "russia ooo", "hostway country", "email address", "russia title", "display name", "telegram", "bear31337", "admin", "seller", "bear host", "platform", "notes telegram", "na na", "notes whatsapp", "voodoo", "yandex na", "na facebook", "viewcaller name", "microsoft", "location", "apple na", "email", "breach dataset", "gp internet", "moscow", "petersburg main", "inactive", "igorevich", "november", "january", "unified state", "register", "legal", "march", "june" ], "references": [ "https://www.resecurity.com/blog/article/qilin-ransomware-and-the-ghost-bulletproof-hosting-conglomerate" ], "public": 1, "adversary": "Qilin", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "URL": 1, "domain": 6, "email": 8, "hostname": 9, "CIDR": 2 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "197 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "support-decryptor.hk", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "support-decryptor.hk", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780351551.327307 }