{ "type": "Domain", "indicator": "tblsys.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/tblsys.com", "alexa": "http://www.alexa.com/siteinfo/tblsys.com", "indicator": "tblsys.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3951320569, "indicator": "tblsys.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69c64918d4b28fe95cb6bf3f", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign D clone credit AustinBH", "description": "", "modified": "2026-03-27T09:08:40.507000", "created": "2026-03-27T09:08:40.507000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66d73a858bb238c25b7069a8", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "URL": 18, "domain": 4, "email": 1, "hostname": 8 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "68 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d73a858bb238c25b7069a8", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "", "modified": "2024-10-03T16:03:15.787000", "created": "2024-09-03T16:34:13.963000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "URL": 18, "domain": 4, "email": 1, "hostname": 8 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "607 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d3a207bc1222dd721843f7", "name": "Espionage Malware Campaign Uses Google Sheets for C2, Targets Global Organizations", "description": "Cybersecurity researchers have uncovered a sophisticated malware campaign targeting organizations worldwide. The attackers, impersonating tax authorities, lure victims with fraudulent emails containing malicious links. Once clicked, these links deliver a malicious payload that installs a backdoor known as \"Voldemort.\"", "modified": "2024-09-30T23:00:03.475000", "created": "2024-08-31T23:06:47.276000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 17, "email": 1, "hostname": 7 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d1da211c4544ddf765b650", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from the latest threats, trends and issues in the cybersecurity industry, in a comprehensive guide to the company's products and services.", "modified": "2024-09-29T14:01:21.291000", "created": "2024-08-30T14:41:37.271000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-SHA256": 5, "URL": 18, "email": 1, "hostname": 8 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d1a13302f788b415166f87", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from the latest threats, trends and issues in the cybersecurity industry, in a comprehensive guide to the company's products and services.", "modified": "2024-09-29T10:02:29.978000", "created": "2024-08-30T10:38:43.741000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 18, "email": 1, "hostname": 8 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d1151123006ec958ef3efb", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "", "modified": "2024-09-29T00:02:28.450000", "created": "2024-08-30T00:40:49.647000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 17, "email": 1, "hostname": 7 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Voldemort" ], "malware_families": [ "Voldemort", "Cobalt strike" ], "industries": [ "Government", "Insurance", "Higher education", "Transportation", "Aerospace" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69c64918d4b28fe95cb6bf3f", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign D clone credit AustinBH", "description": "", "modified": "2026-03-27T09:08:40.507000", "created": "2026-03-27T09:08:40.507000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66d73a858bb238c25b7069a8", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "URL": 18, "domain": 4, "email": 1, "hostname": 8 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "68 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d73a858bb238c25b7069a8", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "", "modified": "2024-10-03T16:03:15.787000", "created": "2024-09-03T16:34:13.963000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "URL": 18, "domain": 4, "email": 1, "hostname": 8 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "607 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d3a207bc1222dd721843f7", "name": "Espionage Malware Campaign Uses Google Sheets for C2, Targets Global Organizations", "description": "Cybersecurity researchers have uncovered a sophisticated malware campaign targeting organizations worldwide. The attackers, impersonating tax authorities, lure victims with fraudulent emails containing malicious links. Once clicked, these links deliver a malicious payload that installs a backdoor known as \"Voldemort.\"", "modified": "2024-09-30T23:00:03.475000", "created": "2024-08-31T23:06:47.276000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 17, "email": 1, "hostname": 7 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d1da211c4544ddf765b650", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from the latest threats, trends and issues in the cybersecurity industry, in a comprehensive guide to the company's products and services.", "modified": "2024-09-29T14:01:21.291000", "created": "2024-08-30T14:41:37.271000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-SHA256": 5, "URL": 18, "email": 1, "hostname": 8 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d1a13302f788b415166f87", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from the latest threats, trends and issues in the cybersecurity industry, in a comprehensive guide to the company's products and services.", "modified": "2024-09-29T10:02:29.978000", "created": "2024-08-30T10:38:43.741000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 18, "email": 1, "hostname": 8 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d1151123006ec958ef3efb", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "", "modified": "2024-09-29T00:02:28.450000", "created": "2024-08-30T00:40:49.647000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 17, "email": 1, "hostname": 7 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "tblsys.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "tblsys.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780487683.3842626 }