{ "type": "Domain", "indicator": "techmails.top", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/techmails.top", "alexa": "http://www.alexa.com/siteinfo/techmails.top", "indicator": "techmails.top", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4224162017, "indicator": "techmails.top", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "699e76bb092a7cadf2ef9ddd", "name": "DEFENDER's TI (Compiled)", "description": "This pulse contains IOC's shared by Defender in the Threat Analytics blogs and more.", "modified": "2026-04-13T11:11:07.644000", "created": "2026-02-25T04:12:43.120000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sharkstriker_soc", "id": "139120", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "domain": 68, "hostname": 389, "FileHash-MD5": 332, "FileHash-SHA1": 326, "FileHash-SHA256": 1063, "email": 1, "IPv4": 54 }, "indicator_count": 2298, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a046863c1c92107079f81b", "name": "EbeeFeb2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:11:34.763000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "FileHash-MD5": 191, "FileHash-SHA1": 220, "FileHash-SHA256": 192, "CVE": 2, "URL": 58, "domain": 220 }, "indicator_count": 961, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c3e94318a137a3a3d1a5f", "name": "Brand Impersonation Phishing Delivers JWrapper-Packaged SimpleHelp RAT via Fake Document Portals", "description": "", "modified": "2026-03-25T11:18:19.695000", "created": "2026-02-23T11:48:31.845000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699a20d413948367ecddda9b", "name": "Brand Trust as a Weapon: Multi-Brand Impersonation Campaigns Deliver JWrapper Malware", "description": "Recent cyber threat campaigns have exploited the trust associated with well-known brands, specifically targeting DocuSign and SimpleHelp to distribute JWrapper malware. Attackers create fraudulent communications that appear legitimate to trick users into executing harmful software. These campaigns incorporate malicious executables disguised within documents or download links that impersonate the trusted brands.\n\nThe malware delivery mechanism relies heavily on JWrapper, a Java-based installer framework that packages the required Java Virtual Machine (JVM) along with application files, creating a single executable that functions across different operating systems. Although JWrapper assists in the delivery and installation of malware, the actual remote access capability is primarily provided by the SimpleHelp Remote Monitoring and Management (RMM) tool.", "modified": "2026-03-23T21:14:13.721000", "created": "2026-02-21T21:17:08.536000", "tags": [ "figure", "simplehelp", "jwrapper", "cofense", "platform", "new era", "ai download", "strong", "docusign", "command", "body", "demo", "malware", "february", "monitoring", "trojan", "final", "phishme", "accept", "remote access" ], "references": [ "https://cofense.com/blog/brand-trust-as-a-weapon-multi-brand-impersonation-campaigns-deliver-jwrapper-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JWrapper", "display_name": "JWrapper", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "53 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.csv", "https://cofense.com/blog/brand-trust-as-a-weapon-multi-brand-impersonation-campaigns-deliver-jwrapper-malware" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo" ], "malware_families": [ "Jwrapper" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "699e76bb092a7cadf2ef9ddd", "name": "DEFENDER's TI (Compiled)", "description": "This pulse contains IOC's shared by Defender in the Threat Analytics blogs and more.", "modified": "2026-04-13T11:11:07.644000", "created": "2026-02-25T04:12:43.120000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sharkstriker_soc", "id": "139120", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "domain": 68, "hostname": 389, "FileHash-MD5": 332, "FileHash-SHA1": 326, "FileHash-SHA256": 1063, "email": 1, "IPv4": 54 }, "indicator_count": 2298, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a046863c1c92107079f81b", "name": "EbeeFeb2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:11:34.763000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "FileHash-MD5": 191, "FileHash-SHA1": 220, "FileHash-SHA256": 192, "CVE": 2, "URL": 58, "domain": 220 }, "indicator_count": 961, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c3e94318a137a3a3d1a5f", "name": "Brand Impersonation Phishing Delivers JWrapper-Packaged SimpleHelp RAT via Fake Document Portals", "description": "", "modified": "2026-03-25T11:18:19.695000", "created": "2026-02-23T11:48:31.845000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699a20d413948367ecddda9b", "name": "Brand Trust as a Weapon: Multi-Brand Impersonation Campaigns Deliver JWrapper Malware", "description": "Recent cyber threat campaigns have exploited the trust associated with well-known brands, specifically targeting DocuSign and SimpleHelp to distribute JWrapper malware. Attackers create fraudulent communications that appear legitimate to trick users into executing harmful software. These campaigns incorporate malicious executables disguised within documents or download links that impersonate the trusted brands.\n\nThe malware delivery mechanism relies heavily on JWrapper, a Java-based installer framework that packages the required Java Virtual Machine (JVM) along with application files, creating a single executable that functions across different operating systems. Although JWrapper assists in the delivery and installation of malware, the actual remote access capability is primarily provided by the SimpleHelp Remote Monitoring and Management (RMM) tool.", "modified": "2026-03-23T21:14:13.721000", "created": "2026-02-21T21:17:08.536000", "tags": [ "figure", "simplehelp", "jwrapper", "cofense", "platform", "new era", "ai download", "strong", "docusign", "command", "body", "demo", "malware", "february", "monitoring", "trojan", "final", "phishme", "accept", "remote access" ], "references": [ "https://cofense.com/blog/brand-trust-as-a-weapon-multi-brand-impersonation-campaigns-deliver-jwrapper-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JWrapper", "display_name": "JWrapper", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "53 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "techmails.top", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "techmails.top", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776723291.1342983 }