{ "type": "Domain", "indicator": "surethinks.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/surethinks.com", "alexa": "http://www.alexa.com/siteinfo/surethinks.com", "indicator": "surethinks.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4067105276, "indicator": "surethinks.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "68fb00e2b2d0361731cc0f7c", "name": "Unpacking NetSupport RAT Loaders Delivered via ClickFix", "description": "eSentire's Threat Response Unit observed multiple threat groups utilizing NetSupport Manager for malicious purposes throughout 2025. These groups have shifted from Fake Updates to ClickFix as their primary delivery method. The attack methodology involves social engineering victims to execute malicious commands in the Windows Run Prompt, leading to NetSupport extraction and execution. Three distinct threat groups were identified, each using different loaders and infrastructure. The groups are designated by their licensee names: EVALUSION, FSHGDREE32/SGI, and XMLCTL. The analysis includes details on the PowerShell/JSON-based loader, MSI-based loader, and NetSupport PCAP analysis. An unpacking utility and YARA rule are provided to aid researchers in detecting and analyzing NetSupport variants.", "modified": "2025-11-23T04:04:55.572000", "created": "2025-10-24T04:30:26.227000", "tags": [ "remote administration tools", "clickfix", "netsupport rat" ], "references": [ "https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bulgaria", "Lithuania", "Moldova, Republic of", "Russian Federation", "United Arab Emirates", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NetSupport Manager", "display_name": "NetSupport Manager", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 48, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 27, "CVE": 1, "URL": 4, "hostname": 1 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 386630, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683202092d4ff2099430b6d3", "name": "urlhaus 30days", "description": "", "modified": "2026-02-09T00:11:12.303000", "created": "2025-05-24T17:29:45.368000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 61, "FileHash-SHA1": 4, "FileHash-SHA256": 31, "URL": 28057, "domain": 435, "hostname": 423 }, "indicator_count": 29011, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "112 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "183 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fc9242711d57005c0791ab", "name": "Unpacking NetSupport RAT Loaders Delivered via ClickFix..", "description": "In 2025, a series of incidents linked to the NetSupport Manager has been attributed to three separate threat actor groups that are transitioning their delivery methods from \"Fake Updates\" to a more sophisticated approach known as \"ClickFix.\" Among the techniques employed by these groups, PowerShell-based loaders have been especially prominent.", "modified": "2025-11-24T08:00:04.918000", "created": "2025-10-25T09:02:58.712000", "tags": [ "powershell json", "powershell zip", "netsupport c2", "netsupport" ], "references": [ "https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 24 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ff35a8b035a30a8199e13a", "name": "IOC - Unpacking NetSupport RAT Loaders Delivered via ClickFix", "description": "", "modified": "2025-11-23T04:04:55.572000", "created": "2025-10-27T09:04:40.958000", "tags": [ "remote administration tools", "clickfix", "netsupport rat" ], "references": [ "https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bulgaria", "Lithuania", "Moldova, Republic of", "Russian Federation", "United Arab Emirates", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NetSupport Manager", "display_name": "NetSupport Manager", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "68fb00e2b2d0361731cc0f7c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 48, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 27, "CVE": 1, "URL": 4, "hostname": 1 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69007544f80986eee4963434", "name": "Unpacking NetSupport RAT Loaders Delivered via ClickFix", "description": "", "modified": "2025-11-23T04:04:55.572000", "created": "2025-10-28T07:48:20.824000", "tags": [ "remote administration tools", "clickfix", "netsupport rat" ], "references": [ "https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bulgaria", "Lithuania", "Moldova, Republic of", "Russian Federation", "United Arab Emirates", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NetSupport Manager", "display_name": "NetSupport Manager", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "68fb00e2b2d0361731cc0f7c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 48, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 27, "CVE": 1, "URL": 4, "hostname": 1 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fe09111b5705ff69ffc5ff", "name": "Threat Actors Deploy NetSupport RAT Loaders Using ClickFix", "description": "Cybercriminals are using a technique known as \u2018ClickFix\u2019 to deploy the NetSupport remote administration tool (RAT) for malicious purposes.", "modified": "2025-10-26T11:42:09.450000", "created": "2025-10-26T11:42:09.450000", "tags": [ "update", "siem", "iocs", "conduct", "https", "hashes", "domains", "jiezishijie", "kamagrafr" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "URL": 1, "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 24 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "217 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681e2275eedbc4832f285bdc", "name": "Clickfix installs NetsupportRAT", "description": "Clickfix installs NetsupportRAT - direct to IP c2", "modified": "2025-09-06T00:03:32.787000", "created": "2025-05-09T15:42:45.028000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nalbright", "id": "356", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_356/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 98, "modified_text": "268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "681ea15bc94854a8a1a75594", "name": "URLHaus data - 09-05-2025", "description": "", "modified": "2025-06-09T00:01:38.726000", "created": "2025-05-10T00:44:11.612000", "tags": [ "ClearFake", "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "SocGholish", "censys", "CobaltStrike", "backdoor", "sshdkit", "hajime", "ascii", "Encoded", "rat", "RemcosRAT", "rev-base64-loader", "powershell", "ps1", "opendir", "MassLogger", "AgentTesla", "2025", "password", "zip", "xworm", "encrypted", "GuLoader", "NetSupport", "NetSupportRAT", "WsgiDAV", "remcos", "Arechclient2", "CoinMiner", "config", "json", "ua-wget", "xml", "jar", "kinsing", "sh", "exe", "botnetdomain", "Kimsuky", "linux", "malware", "dcrat", "connectwise", "screenconnect" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 794, "hostname": 10, "domain": 33 }, "indicator_count": 837, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "OCT.pdf", "https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix", "https://urlhaus.abuse.ch/browse/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Netsupport manager" ], "industries": [] }, "other": { "adversary": [ "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "CryptoGen Cyber Threat Intelligence Advisory" ], "malware_families": [ "Netsupport manager" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "68fb00e2b2d0361731cc0f7c", "name": "Unpacking NetSupport RAT Loaders Delivered via ClickFix", "description": "eSentire's Threat Response Unit observed multiple threat groups utilizing NetSupport Manager for malicious purposes throughout 2025. These groups have shifted from Fake Updates to ClickFix as their primary delivery method. The attack methodology involves social engineering victims to execute malicious commands in the Windows Run Prompt, leading to NetSupport extraction and execution. Three distinct threat groups were identified, each using different loaders and infrastructure. The groups are designated by their licensee names: EVALUSION, FSHGDREE32/SGI, and XMLCTL. The analysis includes details on the PowerShell/JSON-based loader, MSI-based loader, and NetSupport PCAP analysis. An unpacking utility and YARA rule are provided to aid researchers in detecting and analyzing NetSupport variants.", "modified": "2025-11-23T04:04:55.572000", "created": "2025-10-24T04:30:26.227000", "tags": [ "remote administration tools", "clickfix", "netsupport rat" ], "references": [ "https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bulgaria", "Lithuania", "Moldova, Republic of", "Russian Federation", "United Arab Emirates", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NetSupport Manager", "display_name": "NetSupport Manager", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 48, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 27, "CVE": 1, "URL": 4, "hostname": 1 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 386630, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683202092d4ff2099430b6d3", "name": "urlhaus 30days", "description": "", "modified": "2026-02-09T00:11:12.303000", "created": "2025-05-24T17:29:45.368000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 61, "FileHash-SHA1": 4, "FileHash-SHA256": 31, "URL": 28057, "domain": 435, "hostname": 423 }, "indicator_count": 29011, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "112 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "183 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fc9242711d57005c0791ab", "name": "Unpacking NetSupport RAT Loaders Delivered via ClickFix..", "description": "In 2025, a series of incidents linked to the NetSupport Manager has been attributed to three separate threat actor groups that are transitioning their delivery methods from \"Fake Updates\" to a more sophisticated approach known as \"ClickFix.\" Among the techniques employed by these groups, PowerShell-based loaders have been especially prominent.", "modified": "2025-11-24T08:00:04.918000", "created": "2025-10-25T09:02:58.712000", "tags": [ "powershell json", "powershell zip", "netsupport c2", "netsupport" ], "references": [ "https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 24 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ff35a8b035a30a8199e13a", "name": "IOC - Unpacking NetSupport RAT Loaders Delivered via ClickFix", "description": "", "modified": "2025-11-23T04:04:55.572000", "created": "2025-10-27T09:04:40.958000", "tags": [ "remote administration tools", "clickfix", "netsupport rat" ], "references": [ "https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bulgaria", "Lithuania", "Moldova, Republic of", "Russian Federation", "United Arab Emirates", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NetSupport Manager", "display_name": "NetSupport Manager", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "68fb00e2b2d0361731cc0f7c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 48, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 27, "CVE": 1, "URL": 4, "hostname": 1 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69007544f80986eee4963434", "name": "Unpacking NetSupport RAT Loaders Delivered via ClickFix", "description": "", "modified": "2025-11-23T04:04:55.572000", "created": "2025-10-28T07:48:20.824000", "tags": [ "remote administration tools", "clickfix", "netsupport rat" ], "references": [ "https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bulgaria", "Lithuania", "Moldova, Republic of", "Russian Federation", "United Arab Emirates", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NetSupport Manager", "display_name": "NetSupport Manager", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "68fb00e2b2d0361731cc0f7c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 48, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 27, "CVE": 1, "URL": 4, "hostname": 1 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fe09111b5705ff69ffc5ff", "name": "Threat Actors Deploy NetSupport RAT Loaders Using ClickFix", "description": "Cybercriminals are using a technique known as \u2018ClickFix\u2019 to deploy the NetSupport remote administration tool (RAT) for malicious purposes.", "modified": "2025-10-26T11:42:09.450000", "created": "2025-10-26T11:42:09.450000", "tags": [ "update", "siem", "iocs", "conduct", "https", "hashes", "domains", "jiezishijie", "kamagrafr" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "URL": 1, "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 24 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "217 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681e2275eedbc4832f285bdc", "name": "Clickfix installs NetsupportRAT", "description": "Clickfix installs NetsupportRAT - direct to IP c2", "modified": "2025-09-06T00:03:32.787000", "created": "2025-05-09T15:42:45.028000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nalbright", "id": "356", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_356/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 98, "modified_text": "268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "681ea15bc94854a8a1a75594", "name": "URLHaus data - 09-05-2025", "description": "", "modified": "2025-06-09T00:01:38.726000", "created": "2025-05-10T00:44:11.612000", "tags": [ "ClearFake", "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "SocGholish", "censys", "CobaltStrike", "backdoor", "sshdkit", "hajime", "ascii", "Encoded", "rat", "RemcosRAT", "rev-base64-loader", "powershell", "ps1", "opendir", "MassLogger", "AgentTesla", "2025", "password", "zip", "xworm", "encrypted", "GuLoader", "NetSupport", "NetSupportRAT", "WsgiDAV", "remcos", "Arechclient2", "CoinMiner", "config", "json", "ua-wget", "xml", "jar", "kinsing", "sh", "exe", "botnetdomain", "Kimsuky", "linux", "malware", "dcrat", "connectwise", "screenconnect" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 794, "hostname": 10, "domain": 33 }, "indicator_count": 837, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "surethinks.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "surethinks.com", "found": true, "verdict": "malicious", "url_count": 2, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://surethinks.com/rasbus.zip", "status": "offline", "threat": "malware_download", "date_added": "2025-05-09", "tags": [ "NetSupport" ] }, { "url": "https://surethinks.com/zasras.zip", "status": "offline", "threat": "malware_download", "date_added": "2025-05-09", "tags": [ "NetSupport" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780297075.2380908 }