{ "type": "Domain", "indicator": "suspectplainrevulsion.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/suspectplainrevulsion.com", "alexa": "http://www.alexa.com/siteinfo/suspectplainrevulsion.com", "indicator": "suspectplainrevulsion.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4028957055, "indicator": "suspectplainrevulsion.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "68e93847bf4e1c20e09bc7f4", "name": "VT graph (Gramac, 2025)", "description": "Copy of Newest attack 04/05 6:44pmpst just ban the servers. It\u2019s probably that guy from Canada from years ago (Gramac, 2025)", "modified": "2025-11-09T16:00:40.524000", "created": "2025-10-10T16:45:59.455000", "tags": [ "entity", "please", "javascript", "windows", "khtml" ], "references": [ "https://www.virustotal.com/graph/embed/g99f807a829ff49e095fdb8485c04206a866c96c2241a46348935f463348bef14?theme=dark", "https://www.virustotal.com/gui/collection/d0bda73251c781ad52ecd72ef91ac1c24030b69a49725ae1a90074dc11f36856/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-MD5": 69, "FileHash-SHA1": 62, "FileHash-SHA256": 280, "domain": 31, "hostname": 75 }, "indicator_count": 583, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680c1a2539b381ea9fbe7054", "name": "InQuest - 25-04-2025", "description": "", "modified": "2025-05-25T23:00:17.763000", "created": "2025-04-25T23:26:29.483000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "URL": 236, "FileHash-SHA1": 24, "FileHash-SHA256": 814, "domain": 54, "FileHash-MD5": 26 }, "indicator_count": 1196, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "370 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680ac7dd8edc8c55be961a6d", "name": "InQuest - 24-04-2025", "description": "", "modified": "2025-05-24T23:00:39.177000", "created": "2025-04-24T23:23:09.843000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 879, "FileHash-MD5": 33, "hostname": 67, "URL": 426, "domain": 113, "FileHash-SHA1": 24 }, "indicator_count": 1542, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818f46dd65fe9f5628b6deb", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-05T17:25:01.415000", "created": "2025-05-05T17:25:01.415000", "tags": [ "ctia type", "date", "april", "time", "update", "siem", "keep anti", "virus endpoint", "detection", "check", "test" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 8 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "390 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6814bb1dc645da1b5d4e1228", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-02T12:34:36.004000", "created": "2025-05-02T12:31:25.355000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 7, "hostname": 5, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68144719ce06e61f72f4b24d", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-02T04:16:25.940000", "created": "2025-05-02T04:16:25.940000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "68130b0a09b695605a0065a0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68130b0a09b695605a0065a0", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-01T05:47:54.846000", "created": "2025-05-01T05:47:54.846000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "6807a23302e3a26f9b32c891", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "394 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6807a23302e3a26f9b32c891", "name": "How Lumma Stealer sneaks into organizations | Securelist", "description": "Security company Kaspersky has discovered a sophisticated and sophisticated information stealer, known as Lumma, that is being used by cybercriminals to steal data from people around the world and sell it on dark web marketplaces.", "modified": "2025-04-22T14:05:39.893000", "created": "2025-04-22T14:05:39.893000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "403 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bbf55afcc48a55cfba471e", "name": "Unknown Malware Distribution Network", "description": "TA using compromised WP websites to drop files for remote job searchers/ I will update with more information soon.", "modified": "2025-03-26T04:05:03.222000", "created": "2025-02-24T04:28:09.543000", "tags": [ "main", "dropped file", "connections ip" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "yetkindegirmenci", "id": "250316", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 23, "URL": 66, "domain": 66, "hostname": 26 }, "indicator_count": 185, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bbf561fcc48a55cfba471f", "name": "Unknown Malware Distribution Network", "description": "TA using compromised WP websites to drop files for remote job searchers/ I will update with more information soon.", "modified": "2025-03-26T04:05:03.222000", "created": "2025-02-24T04:28:17.307000", "tags": [ "main", "dropped file", "connections ip" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "yetkindegirmenci", "id": "250316", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 23, "URL": 66, "domain": 66, "hostname": 26 }, "indicator_count": 185, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678565f0c11937595b52ea3b", "name": "ApateWeb Campaign Infected Sites - Blogspot Redirector", "description": "Additional IOCs gathered from an instance of ApateWeb discovered in the wild, via a Blogspot redirector campaign. These may be intentional adversary-controlled infra or simply infected servers that they have gained control over.\n\nApologies for duplicate IOCs, OTX has no method of filtering these out and makes it impossible to bulk remove them so I can upload a de-duped list instead, so there is no way for me to fix this.", "modified": "2025-01-20T23:31:01.411000", "created": "2025-01-13T19:13:52.391000", "tags": [ "blog", "redirector", "phishing", "malware", "Scareware", "Malvertising", "Ad Fraud", "Blogspot", "ApateWeb", "Cybercrime" ], "references": [ "https://unit42.paloaltonetworks.com/apateweb-scareware-pup-delivery-campaign/", "https://bettylinking.blogspot[.]com/2025/01/tyga.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ajmeese7", "id": "218349", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_218349/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 34, "domain": 19039, "hostname": 18 }, "indicator_count": 19091, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "495 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/apateweb-scareware-pup-delivery-campaign/", "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/", "https://www.virustotal.com/graph/embed/g99f807a829ff49e095fdb8485c04206a866c96c2241a46348935f463348bef14?theme=dark", "https://bettylinking.blogspot[.]com/2025/01/tyga.html", "https://labs.inquest.net/iocdb", "https://www.virustotal.com/gui/collection/d0bda73251c781ad52ecd72ef91ac1c24030b69a49725ae1a90074dc11f36856/iocs" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Captcha", "Lumma", "Downloads", "\u2019m" ], "industries": [ "Logistics", "Government", "Maritime" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "68e93847bf4e1c20e09bc7f4", "name": "VT graph (Gramac, 2025)", "description": "Copy of Newest attack 04/05 6:44pmpst just ban the servers. It\u2019s probably that guy from Canada from years ago (Gramac, 2025)", "modified": "2025-11-09T16:00:40.524000", "created": "2025-10-10T16:45:59.455000", "tags": [ "entity", "please", "javascript", "windows", "khtml" ], "references": [ "https://www.virustotal.com/graph/embed/g99f807a829ff49e095fdb8485c04206a866c96c2241a46348935f463348bef14?theme=dark", "https://www.virustotal.com/gui/collection/d0bda73251c781ad52ecd72ef91ac1c24030b69a49725ae1a90074dc11f36856/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-MD5": 69, "FileHash-SHA1": 62, "FileHash-SHA256": 280, "domain": 31, "hostname": 75 }, "indicator_count": 583, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680c1a2539b381ea9fbe7054", "name": "InQuest - 25-04-2025", "description": "", "modified": "2025-05-25T23:00:17.763000", "created": "2025-04-25T23:26:29.483000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "URL": 236, "FileHash-SHA1": 24, "FileHash-SHA256": 814, "domain": 54, "FileHash-MD5": 26 }, "indicator_count": 1196, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "370 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680ac7dd8edc8c55be961a6d", "name": "InQuest - 24-04-2025", "description": "", "modified": "2025-05-24T23:00:39.177000", "created": "2025-04-24T23:23:09.843000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 879, "FileHash-MD5": 33, "hostname": 67, "URL": 426, "domain": 113, "FileHash-SHA1": 24 }, "indicator_count": 1542, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818f46dd65fe9f5628b6deb", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-05T17:25:01.415000", "created": "2025-05-05T17:25:01.415000", "tags": [ "ctia type", "date", "april", "time", "update", "siem", "keep anti", "virus endpoint", "detection", "check", "test" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 8 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "390 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6814bb1dc645da1b5d4e1228", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-02T12:34:36.004000", "created": "2025-05-02T12:31:25.355000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 7, "hostname": 5, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68144719ce06e61f72f4b24d", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-02T04:16:25.940000", "created": "2025-05-02T04:16:25.940000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "68130b0a09b695605a0065a0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68130b0a09b695605a0065a0", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-01T05:47:54.846000", "created": "2025-05-01T05:47:54.846000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "6807a23302e3a26f9b32c891", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "394 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6807a23302e3a26f9b32c891", "name": "How Lumma Stealer sneaks into organizations | Securelist", "description": "Security company Kaspersky has discovered a sophisticated and sophisticated information stealer, known as Lumma, that is being used by cybercriminals to steal data from people around the world and sell it on dark web marketplaces.", "modified": "2025-04-22T14:05:39.893000", "created": "2025-04-22T14:05:39.893000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "403 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bbf55afcc48a55cfba471e", "name": "Unknown Malware Distribution Network", "description": "TA using compromised WP websites to drop files for remote job searchers/ I will update with more information soon.", "modified": "2025-03-26T04:05:03.222000", "created": "2025-02-24T04:28:09.543000", "tags": [ "main", "dropped file", "connections ip" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "yetkindegirmenci", "id": "250316", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 23, "URL": 66, "domain": 66, "hostname": 26 }, "indicator_count": 185, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bbf561fcc48a55cfba471f", "name": "Unknown Malware Distribution Network", "description": "TA using compromised WP websites to drop files for remote job searchers/ I will update with more information soon.", "modified": "2025-03-26T04:05:03.222000", "created": "2025-02-24T04:28:17.307000", "tags": [ "main", "dropped file", "connections ip" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "yetkindegirmenci", "id": "250316", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 23, "URL": 66, "domain": 66, "hostname": 26 }, "indicator_count": 185, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "suspectplainrevulsion.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "suspectplainrevulsion.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780184992.0429828 }