{ "type": "Domain", "indicator": "telegrtam.com.cn", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/telegrtam.com.cn", "alexa": "http://www.alexa.com/siteinfo/telegrtam.com.cn", "indicator": "telegrtam.com.cn", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4282099826, "indicator": "telegrtam.com.cn", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69d04548fc66ec860b90063e", "name": "ffbbbvhfdvjfbvjhfdvjhbfdv", "description": "", "modified": "2026-05-03T22:07:19.505000", "created": "2026-04-03T22:55:04.612000", "tags": [ "a6 https", "a5 https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 70, "URL": 659, "FileHash-MD5": 54, "FileHash-SHA1": 47, "FileHash-SHA256": 107, "email": 1, "hostname": 33 }, "indicator_count": 971, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c9df38bdefb2d893ab925b", "name": "IOC - Trust the Tunnel, Get the Trojan: Silver Fox Delivers AtlasCross RAT via Weaponized VPN Installers", "description": "A multi-stage remote access trojan campaign is actively targeting Chinese-speaking users through a network of typosquatted domains impersonating trusted software brands. The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating brands including Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others. All identified installer packages carry the same stolen Extended Validation code-signing certificate issued to a Vietnamese shell entity, lending them an appearance of legitimacy that bypasses both user suspicion and automated trust checks.", "modified": "2026-04-29T02:07:22.447000", "created": "2026-03-30T02:26:00.622000", "tags": [ "delivery", "setup factory", "launchers", "atlascross rat", "decoy installer", "configuration", "ini config", "standalone rat", "executables", "november" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/trust-the-tunnel-get-the-trojan-silver-fox-delivers-atlascross-rat-via-weaponized-vpn-installers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 20, "FileHash-SHA1": 20, "FileHash-SHA256": 21, "hostname": 2 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c95f5334002d20395becae", "name": "Trust the Tunnel, Get the Trojan: Silver Fox Delivers AtlasCross RAT via Weaponized VPN Installers", "description": "The Silver Fox threat group, also known as Void Arachne or SwimSnake, has initiated a sophisticated multi-stage remote access trojan (RAT) campaign targeting Chinese-speaking users. This campaign primarily utilizes a network of typosquatted domains that mimic trusted applications that are widely used in China, such as VPN clients, encrypted messaging tools, and e-commerce applications. The distribution channels rely on eleven identified domains that impersonate reputable software brands, and all delivery installers are signed with a stolen Extended Validation (EV) code-signing certificate from a Vietnamese entity.", "modified": "2026-04-28T17:01:55.604000", "created": "2026-03-29T17:20:19.185000", "tags": [ "setup factory", "silver fox", "inno setup", "c2 domain", "gh0st rat", "rdp session", "sha256", "groups", "atlascross rat", "remark", "powershell", "valleyrat", "winos", "telegram", "installer", "dword", "phase", "shellcode", "gh0st", "service", "root", "code", "fox", "sf8", "atlasagent", "administrators", "ultraviewer", "powerchell", "atlascross" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/trust-the-tunnel-get-the-trojan-silver-fox-delivers-atlascross-rat-via-weaponized-vpn-installers/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [ "E-commerce" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 20, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "CIDR": 1, "URL": 1, "hostname": 2 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.pdf", "https://hexastrike.com/resources/blog/threat-intelligence/trust-the-tunnel-get-the-trojan-silver-fox-delivers-atlascross-rat-via-weaponized-vpn-installers/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Silver Fox", "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT" ], "malware_families": [], "industries": [ "E-commerce" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69d04548fc66ec860b90063e", "name": "ffbbbvhfdvjfbvjhfdvjhbfdv", "description": "", "modified": "2026-05-03T22:07:19.505000", "created": "2026-04-03T22:55:04.612000", "tags": [ "a6 https", "a5 https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 70, "URL": 659, "FileHash-MD5": 54, "FileHash-SHA1": 47, "FileHash-SHA256": 107, "email": 1, "hostname": 33 }, "indicator_count": 971, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c9df38bdefb2d893ab925b", "name": "IOC - Trust the Tunnel, Get the Trojan: Silver Fox Delivers AtlasCross RAT via Weaponized VPN Installers", "description": "A multi-stage remote access trojan campaign is actively targeting Chinese-speaking users through a network of typosquatted domains impersonating trusted software brands. The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating brands including Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others. All identified installer packages carry the same stolen Extended Validation code-signing certificate issued to a Vietnamese shell entity, lending them an appearance of legitimacy that bypasses both user suspicion and automated trust checks.", "modified": "2026-04-29T02:07:22.447000", "created": "2026-03-30T02:26:00.622000", "tags": [ "delivery", "setup factory", "launchers", "atlascross rat", "decoy installer", "configuration", "ini config", "standalone rat", "executables", "november" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/trust-the-tunnel-get-the-trojan-silver-fox-delivers-atlascross-rat-via-weaponized-vpn-installers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 20, "FileHash-SHA1": 20, "FileHash-SHA256": 21, "hostname": 2 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c95f5334002d20395becae", "name": "Trust the Tunnel, Get the Trojan: Silver Fox Delivers AtlasCross RAT via Weaponized VPN Installers", "description": "The Silver Fox threat group, also known as Void Arachne or SwimSnake, has initiated a sophisticated multi-stage remote access trojan (RAT) campaign targeting Chinese-speaking users. This campaign primarily utilizes a network of typosquatted domains that mimic trusted applications that are widely used in China, such as VPN clients, encrypted messaging tools, and e-commerce applications. The distribution channels rely on eleven identified domains that impersonate reputable software brands, and all delivery installers are signed with a stolen Extended Validation (EV) code-signing certificate from a Vietnamese entity.", "modified": "2026-04-28T17:01:55.604000", "created": "2026-03-29T17:20:19.185000", "tags": [ "setup factory", "silver fox", "inno setup", "c2 domain", "gh0st rat", "rdp session", "sha256", "groups", "atlascross rat", "remark", "powershell", "valleyrat", "winos", "telegram", "installer", "dword", "phase", "shellcode", "gh0st", "service", "root", "code", "fox", "sf8", "atlasagent", "administrators", "ultraviewer", "powerchell", "atlascross" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/trust-the-tunnel-get-the-trojan-silver-fox-delivers-atlascross-rat-via-weaponized-vpn-installers/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [ "E-commerce" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 20, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "CIDR": 1, "URL": 1, "hostname": 2 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "telegrtam.com.cn", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "telegrtam.com.cn", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780197669.8252964 }