{ "type": "Domain", "indicator": "systemautoupdater.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/systemautoupdater.com", "alexa": "http://www.alexa.com/siteinfo/systemautoupdater.com", "indicator": "systemautoupdater.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4329190293, "indicator": "systemautoupdater.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eea032b44c822fa321c040", "name": "vxCube \u2014 Report", "description": "[Researchers have identified the first \"pulses\" to be created on a single domain, the GoDaddy.com, and the second to have been identified by its owner, a US company.] Date - 2024-12-10 11:15:23 UTC for [017076655d1d5d05656azcb!z] [exe parent of>] and [4ca5bc812211957dc963d03fc773d01d9b6643c4d99d31a9f9032fcbed39cf9c, 2025-06-02 05:00:56 UTC]", "modified": "2026-05-26T23:51:32.486000", "created": "2026-04-26T23:30:58.043000", "tags": [ "passive dns", "status", "urls", "creation date", "date", "pulse pulses", "files", "domain", "files ip", "address", "expiry date", "name", "query time", "code signing", "zlatin stamatov", "issuer certum", "ca valid", "from", "valid", "valid usage", "algorithm", "serial number", "certum code", "signing", "ca status", "valid issuer", "certum trusted", "network ca", "valid from", "status valid", "trusted network", "all algorithm", "client auth", "e7 ff", "thumbprint md5", "fa cd", "tags size", "mb format", "exe sha1", "body length", "b body", "sha256", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "exe32", "compiler" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 13, "FileHash-SHA256": 92, "URL": 63, "domain": 54, "hostname": 27, "email": 1, "CVE": 3 }, "indicator_count": 274, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eea032c0007ec10cd71b6a", "name": "vxCube \u2014 Report", "description": "[Researchers have identified the first \"pulses\" to be created on a single domain, the GoDaddy.com, and the second to have been identified by its owner, a US company.] Date - 2024-12-10 11:15:23 UTC for [017076655d1d5d05656azcb!z] [exe parent of>] and [4ca5bc812211957dc963d03fc773d01d9b6643c4d99d31a9f9032fcbed39cf9c, 2025-06-02 05:00:56 UTC]", "modified": "2026-05-26T23:51:32.486000", "created": "2026-04-26T23:30:58.642000", "tags": [ "passive dns", "status", "urls", "creation date", "date", "pulse pulses", "files", "domain", "files ip", "address", "expiry date", "name", "query time", "code signing", "zlatin stamatov", "issuer certum", "ca valid", "from", "valid", "valid usage", "algorithm", "serial number", "certum code", "signing", "ca status", "valid issuer", "certum trusted", "network ca", "valid from", "status valid", "trusted network", "all algorithm", "client auth", "e7 ff", "thumbprint md5", "fa cd", "tags size", "mb format", "exe sha1", "body length", "b body", "sha256", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "exe32", "compiler" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 12, "FileHash-SHA256": 91, "URL": 58, "domain": 54, "hostname": 25, "email": 1, "CVE": 3 }, "indicator_count": 264, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eea03311228a15d06a2b2a", "name": "vxCube \u2014 Report", "description": "[Researchers have identified the first \"pulses\" to be created on a single domain, the GoDaddy.com, and the second to have been identified by its owner, a US company.] Date - 2024-12-10 11:15:23 UTC for [017076655d1d5d05656azcb!z] [exe parent of>] and [4ca5bc812211957dc963d03fc773d01d9b6643c4d99d31a9f9032fcbed39cf9c, 2025-06-02 05:00:56 UTC]", "modified": "2026-05-26T23:51:32.486000", "created": "2026-04-26T23:30:59.313000", "tags": [ "passive dns", "status", "urls", "creation date", "date", "pulse pulses", "files", "domain", "files ip", "address", "expiry date", "name", "query time", "code signing", "zlatin stamatov", "issuer certum", "ca valid", "from", "valid", "valid usage", "algorithm", "serial number", "certum code", "signing", "ca status", "valid issuer", "certum trusted", "network ca", "valid from", "status valid", "trusted network", "all algorithm", "client auth", "e7 ff", "thumbprint md5", "fa cd", "tags size", "mb format", "exe sha1", "body length", "b body", "sha256", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "exe32", "compiler" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 12, "FileHash-SHA256": 91, "URL": 58, "domain": 54, "hostname": 25, "email": 1, "CVE": 3 }, "indicator_count": 264, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eea0339cc87532959cb616", "name": "vxCube \u2014 Report", "description": "[Researchers have identified the first \"pulses\" to be created on a single domain, the GoDaddy.com, and the second to have been identified by its owner, a US company.] Date - 2024-12-10 11:15:23 UTC for [017076655d1d5d05656azcb!z] [exe parent of>] and [4ca5bc812211957dc963d03fc773d01d9b6643c4d99d31a9f9032fcbed39cf9c, 2025-06-02 05:00:56 UTC]", "modified": "2026-05-26T23:51:32.486000", "created": "2026-04-26T23:30:59.950000", "tags": [ "passive dns", "status", "urls", "creation date", "date", "pulse pulses", "files", "domain", "files ip", "address", "expiry date", "name", "query time", "code signing", "zlatin stamatov", "issuer certum", "ca valid", "from", "valid", "valid usage", "algorithm", "serial number", "certum code", "signing", "ca status", "valid issuer", "certum trusted", "network ca", "valid from", "status valid", "trusted network", "all algorithm", "client auth", "e7 ff", "thumbprint md5", "fa cd", "tags size", "mb format", "exe sha1", "body length", "b body", "sha256", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "exe32", "compiler" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 12, "FileHash-SHA256": 91, "URL": 58, "domain": 54, "hostname": 25, "email": 1, "CVE": 3 }, "indicator_count": 264, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ee2299c67d16921c030246", "name": "Calipology / SystemAutoUpdater - Trojanized RustDesk via Signed MSTeams Installer.", "description": "A recent investigation has revealed that a trojanized Microsoft Teams installer, named MSTeamsSetup.exe, is being used to distribute a malicious version of the RustDesk remote access client. This executable file, masquerading as legitimate software, is signed with a fraudulent certificate issued to Zlatin Stamatov by Certum. The command-and-control (C2) domain associated with this operation, http://mon.systemautoupdater.com, resolves to an IP address of 23.27.141.44, which is hosted by EvoXT, a provider linked to previous cybercrime activities involving the GeorgeGinx/Striker investigation. The fraudulent certificate suggests possible identity deception linked to a legitimate UK brake caliper refurbishment business, http://calipology.co.uk.", "modified": "2026-05-26T14:22:02.791000", "created": "2026-04-26T14:35:05.503000", "tags": [ "threat intelligence", "malware analysis", "c2 infrastructure", "apt campaigns", "iocs", "yara rules", "reverse engineering", "cybersecurity research", "striker c2", "tls certificate", "c2 server", "rustdesk", "evoxt", "godaddy", "code signing", "certum", "bots management", "ghost", "telegram", "first", "code", "crypto", "evolution" ], "references": [ "https://intel.breakglass.tech/post/systemautoupdater-23-27-141-44" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 2, "domain": 4, "email": 1, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://intel.breakglass.tech/post/systemautoupdater-23-27-141-44", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eea032b44c822fa321c040", "name": "vxCube \u2014 Report", "description": "[Researchers have identified the first \"pulses\" to be created on a single domain, the GoDaddy.com, and the second to have been identified by its owner, a US company.] Date - 2024-12-10 11:15:23 UTC for [017076655d1d5d05656azcb!z] [exe parent of>] and [4ca5bc812211957dc963d03fc773d01d9b6643c4d99d31a9f9032fcbed39cf9c, 2025-06-02 05:00:56 UTC]", "modified": "2026-05-26T23:51:32.486000", "created": "2026-04-26T23:30:58.043000", "tags": [ "passive dns", "status", "urls", "creation date", "date", "pulse pulses", "files", "domain", "files ip", "address", "expiry date", "name", "query time", "code signing", "zlatin stamatov", "issuer certum", "ca valid", "from", "valid", "valid usage", "algorithm", "serial number", "certum code", "signing", "ca status", "valid issuer", "certum trusted", "network ca", "valid from", "status valid", "trusted network", "all algorithm", "client auth", "e7 ff", "thumbprint md5", "fa cd", "tags size", "mb format", "exe sha1", "body length", "b body", "sha256", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "exe32", "compiler" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 13, "FileHash-SHA256": 92, "URL": 63, "domain": 54, "hostname": 27, "email": 1, "CVE": 3 }, "indicator_count": 274, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eea032c0007ec10cd71b6a", "name": "vxCube \u2014 Report", "description": "[Researchers have identified the first \"pulses\" to be created on a single domain, the GoDaddy.com, and the second to have been identified by its owner, a US company.] Date - 2024-12-10 11:15:23 UTC for [017076655d1d5d05656azcb!z] [exe parent of>] and [4ca5bc812211957dc963d03fc773d01d9b6643c4d99d31a9f9032fcbed39cf9c, 2025-06-02 05:00:56 UTC]", "modified": "2026-05-26T23:51:32.486000", "created": "2026-04-26T23:30:58.642000", "tags": [ "passive dns", "status", "urls", "creation date", "date", "pulse pulses", "files", "domain", "files ip", "address", "expiry date", "name", "query time", "code signing", "zlatin stamatov", "issuer certum", "ca valid", "from", "valid", "valid usage", "algorithm", "serial number", "certum code", "signing", "ca status", "valid issuer", "certum trusted", "network ca", "valid from", "status valid", "trusted network", "all algorithm", "client auth", "e7 ff", "thumbprint md5", "fa cd", "tags size", "mb format", "exe sha1", "body length", "b body", "sha256", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "exe32", "compiler" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 12, "FileHash-SHA256": 91, "URL": 58, "domain": 54, "hostname": 25, "email": 1, "CVE": 3 }, "indicator_count": 264, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eea03311228a15d06a2b2a", "name": "vxCube \u2014 Report", "description": "[Researchers have identified the first \"pulses\" to be created on a single domain, the GoDaddy.com, and the second to have been identified by its owner, a US company.] Date - 2024-12-10 11:15:23 UTC for [017076655d1d5d05656azcb!z] [exe parent of>] and [4ca5bc812211957dc963d03fc773d01d9b6643c4d99d31a9f9032fcbed39cf9c, 2025-06-02 05:00:56 UTC]", "modified": "2026-05-26T23:51:32.486000", "created": "2026-04-26T23:30:59.313000", "tags": [ "passive dns", "status", "urls", "creation date", "date", "pulse pulses", "files", "domain", "files ip", "address", "expiry date", "name", "query time", "code signing", "zlatin stamatov", "issuer certum", "ca valid", "from", "valid", "valid usage", "algorithm", "serial number", "certum code", "signing", "ca status", "valid issuer", "certum trusted", "network ca", "valid from", "status valid", "trusted network", "all algorithm", "client auth", "e7 ff", "thumbprint md5", "fa cd", "tags size", "mb format", "exe sha1", "body length", "b body", "sha256", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "exe32", "compiler" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 12, "FileHash-SHA256": 91, "URL": 58, "domain": 54, "hostname": 25, "email": 1, "CVE": 3 }, "indicator_count": 264, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eea0339cc87532959cb616", "name": "vxCube \u2014 Report", "description": "[Researchers have identified the first \"pulses\" to be created on a single domain, the GoDaddy.com, and the second to have been identified by its owner, a US company.] Date - 2024-12-10 11:15:23 UTC for [017076655d1d5d05656azcb!z] [exe parent of>] and [4ca5bc812211957dc963d03fc773d01d9b6643c4d99d31a9f9032fcbed39cf9c, 2025-06-02 05:00:56 UTC]", "modified": "2026-05-26T23:51:32.486000", "created": "2026-04-26T23:30:59.950000", "tags": [ "passive dns", "status", "urls", "creation date", "date", "pulse pulses", "files", "domain", "files ip", "address", "expiry date", "name", "query time", "code signing", "zlatin stamatov", "issuer certum", "ca valid", "from", "valid", "valid usage", "algorithm", "serial number", "certum code", "signing", "ca status", "valid issuer", "certum trusted", "network ca", "valid from", "status valid", "trusted network", "all algorithm", "client auth", "e7 ff", "thumbprint md5", "fa cd", "tags size", "mb format", "exe sha1", "body length", "b body", "sha256", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "exe32", "compiler" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 12, "FileHash-SHA256": 91, "URL": 58, "domain": 54, "hostname": 25, "email": 1, "CVE": 3 }, "indicator_count": 264, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ee2299c67d16921c030246", "name": "Calipology / SystemAutoUpdater - Trojanized RustDesk via Signed MSTeams Installer.", "description": "A recent investigation has revealed that a trojanized Microsoft Teams installer, named MSTeamsSetup.exe, is being used to distribute a malicious version of the RustDesk remote access client. This executable file, masquerading as legitimate software, is signed with a fraudulent certificate issued to Zlatin Stamatov by Certum. The command-and-control (C2) domain associated with this operation, http://mon.systemautoupdater.com, resolves to an IP address of 23.27.141.44, which is hosted by EvoXT, a provider linked to previous cybercrime activities involving the GeorgeGinx/Striker investigation. The fraudulent certificate suggests possible identity deception linked to a legitimate UK brake caliper refurbishment business, http://calipology.co.uk.", "modified": "2026-05-26T14:22:02.791000", "created": "2026-04-26T14:35:05.503000", "tags": [ "threat intelligence", "malware analysis", "c2 infrastructure", "apt campaigns", "iocs", "yara rules", "reverse engineering", "cybersecurity research", "striker c2", "tls certificate", "c2 server", "rustdesk", "evoxt", "godaddy", "code signing", "certum", "bots management", "ghost", "telegram", "first", "code", "crypto", "evolution" ], "references": [ "https://intel.breakglass.tech/post/systemautoupdater-23-27-141-44" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 2, "domain": 4, "email": 1, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "systemautoupdater.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "systemautoupdater.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180645.2319314 }