{ "type": "Domain", "indicator": "theloder.top", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/theloder.top", "alexa": "http://www.alexa.com/siteinfo/theloder.top", "indicator": "theloder.top", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3683585380, "indicator": "theloder.top", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "5fa1ee5c64dc0e2060647954", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-31T01:17:54.397000", "created": "2020-11-03T23:57:16.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 130484, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45551, "domain": 66446 }, "indicator_count": 111997, "is_author": false, "is_subscribing": null, "subscriber_count": 971, "modified_text": "6 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6764c20a49646c5fc3c5a153", "name": "https://psz.zus.pl", "description": "Sugerowany opis:\nPe\u0142ny raport na temat plan\u00f3w polskiego rz\u0105du dotycz\u0105cych referendum unijnego zosta\u0142 opublikowany w serwisie Zus.pl oraz na stronie g\u0142\u00f3wnej tego portalu, kt\u00f3ra dzia\u0142a obecnie w tym samym czasie.", "modified": "2025-05-14T21:16:39.393000", "created": "2024-12-20T01:02:02.761000", "tags": [ "sha256", "vhash", "ssdeep", "zrzuty ekranu", "wykrycia", "pliki", "liczba prbek", "skopiuj", "ukryj prbki", "pokazywa", "skrt", "hash", "kthreaddi", "c start", "plik", "dgc4ph baza", "wiadomoci", "kompresor", "ip k40g", "layton m0355", "n o365", "ilo o2o", "skanowanie", "udostpnij", "plik sha256", "data", "zwizane z", "zoliwym", "awasta elf", "zakaenie", "pani obroczyni", "trojan", "mtb zakaenie", "ostatnia", "2063947519", "nazwa", "adresy url", "nazwa https", "adowania", "jeli plik", "clay", "ojsreso", "o poniej", "url https", "http request", "method get", "country a", "polandpoland as", "name zaklad", "as number", "mime type", "data size", "size", "critical", "frame id", "b time" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 259, "FileHash-SHA256": 282, "domain": 161, "hostname": 235, "FileHash-MD5": 192, "FileHash-SHA1": 190 }, "indicator_count": 1319, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5461ad2cb2f9e8d342d", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:06.188000", "created": "2024-02-06T22:40:06.188000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "844 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b543bc2adfd3eca5ff2b", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:03.501000", "created": "2024-02-06T22:40:03.501000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "844 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5405e6e9e23324e6d8e", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:00.906000", "created": "2024-02-06T22:40:00.906000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "844 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c176bf14908e11e80d8", "name": "TechM-Threat Intel Report - W23-2023", "description": "", "modified": "2023-12-06T16:06:47.815000", "created": "2023-12-06T16:06:47.815000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 130, "FileHash-MD5": 46, "FileHash-SHA1": 46, "domain": 125, "hostname": 42, "URL": 123, "CVE": 1 }, "indicator_count": 513, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647da78794bf55c527ee8400", "name": "TechM-Threat Intel Report - W23-2023", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-07-05T08:04:41.483000", "created": "2023-06-05T09:14:47.526000", "tags": [ "kimsuky", "linux", "blackcat", "romcom", "qbot", "remote access", "cvss", "cvss base", "jetpack plugin", "million", "latin america", "camaro dragon", "strikes", "python code", "gigabyte", "dark pink", "romcom rat", "royal", "rokrat", "scarcruft", "indonesia", "exploit", "hashes domains", "ip address", "blacklist host", "ip country", "latest spambot", "visit", "activity", "china", "singapore", "romania", "quakbot", "stealc", "anydesk", "guloader", "date", "malware url", "tags", "agenttesla", "rhadamanthy", "privateloader", "smoke loader", "sha1 file", "name submit" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://www.dnsbl.info/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Viet Nam", "Thailand", "Indonesia", "Brunei Darussalam", "Belgium", "United States of America", "Korea, Democratic People's Republic of", "Japan" ], "malware_families": [ { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "BlackCat", "display_name": "BlackCat", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Media", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 130, "URL": 123, "domain": 125, "hostname": 42, "CVE": 1 }, "indicator_count": 513, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1060 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "646bf93dc90c6e82257e428e", "name": "Twitter Feed - g0njxa - 22-05-2023", "description": "", "modified": "2023-05-22T23:22:37.147000", "created": "2023-05-22T23:22:37.147000", "tags": [ "RedLine" ], "references": [ "https://twitter.com/g0njxa/status/1660655181577572354" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1104 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.dnsbl.info/", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://twitter.com/g0njxa/status/1660655181577572354" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Kimsuky" ], "malware_families": [ "Romcom", "Blackcat", "Linux", "Remote access", "Qbot" ], "industries": [ "Social engineering", "Media" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "5fa1ee5c64dc0e2060647954", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-31T01:17:54.397000", "created": "2020-11-03T23:57:16.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 130484, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45551, "domain": 66446 }, "indicator_count": 111997, "is_author": false, "is_subscribing": null, "subscriber_count": 971, "modified_text": "6 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6764c20a49646c5fc3c5a153", "name": "https://psz.zus.pl", "description": "Sugerowany opis:\nPe\u0142ny raport na temat plan\u00f3w polskiego rz\u0105du dotycz\u0105cych referendum unijnego zosta\u0142 opublikowany w serwisie Zus.pl oraz na stronie g\u0142\u00f3wnej tego portalu, kt\u00f3ra dzia\u0142a obecnie w tym samym czasie.", "modified": "2025-05-14T21:16:39.393000", "created": "2024-12-20T01:02:02.761000", "tags": [ "sha256", "vhash", "ssdeep", "zrzuty ekranu", "wykrycia", "pliki", "liczba prbek", "skopiuj", "ukryj prbki", "pokazywa", "skrt", "hash", "kthreaddi", "c start", "plik", "dgc4ph baza", "wiadomoci", "kompresor", "ip k40g", "layton m0355", "n o365", "ilo o2o", "skanowanie", "udostpnij", "plik sha256", "data", "zwizane z", "zoliwym", "awasta elf", "zakaenie", "pani obroczyni", "trojan", "mtb zakaenie", "ostatnia", "2063947519", "nazwa", "adresy url", "nazwa https", "adowania", "jeli plik", "clay", "ojsreso", "o poniej", "url https", "http request", "method get", "country a", "polandpoland as", "name zaklad", "as number", "mime type", "data size", "size", "critical", "frame id", "b time" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 259, "FileHash-SHA256": 282, "domain": 161, "hostname": 235, "FileHash-MD5": 192, "FileHash-SHA1": 190 }, "indicator_count": 1319, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5461ad2cb2f9e8d342d", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:06.188000", "created": "2024-02-06T22:40:06.188000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "844 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b543bc2adfd3eca5ff2b", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:03.501000", "created": "2024-02-06T22:40:03.501000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "844 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5405e6e9e23324e6d8e", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:00.906000", "created": "2024-02-06T22:40:00.906000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "844 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c176bf14908e11e80d8", "name": "TechM-Threat Intel Report - W23-2023", "description": "", "modified": "2023-12-06T16:06:47.815000", "created": "2023-12-06T16:06:47.815000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 130, "FileHash-MD5": 46, "FileHash-SHA1": 46, "domain": 125, "hostname": 42, "URL": 123, "CVE": 1 }, "indicator_count": 513, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647da78794bf55c527ee8400", "name": "TechM-Threat Intel Report - W23-2023", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-07-05T08:04:41.483000", "created": "2023-06-05T09:14:47.526000", "tags": [ "kimsuky", "linux", "blackcat", "romcom", "qbot", "remote access", "cvss", "cvss base", "jetpack plugin", "million", "latin america", "camaro dragon", "strikes", "python code", "gigabyte", "dark pink", "romcom rat", "royal", "rokrat", "scarcruft", "indonesia", "exploit", "hashes domains", "ip address", "blacklist host", "ip country", "latest spambot", "visit", "activity", "china", "singapore", "romania", "quakbot", "stealc", "anydesk", "guloader", "date", "malware url", "tags", "agenttesla", "rhadamanthy", "privateloader", "smoke loader", "sha1 file", "name submit" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://www.dnsbl.info/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Viet Nam", "Thailand", "Indonesia", "Brunei Darussalam", "Belgium", "United States of America", "Korea, Democratic People's Republic of", "Japan" ], "malware_families": [ { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "BlackCat", "display_name": "BlackCat", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Media", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 130, "URL": 123, "domain": 125, "hostname": 42, "CVE": 1 }, "indicator_count": 513, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1060 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "646bf93dc90c6e82257e428e", "name": "Twitter Feed - g0njxa - 22-05-2023", "description": "", "modified": "2023-05-22T23:22:37.147000", "created": "2023-05-22T23:22:37.147000", "tags": [ "RedLine" ], "references": [ "https://twitter.com/g0njxa/status/1660655181577572354" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1104 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "theloder.top", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "theloder.top", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://theloder.top/top/100.exe", "status": "offline", "threat": "malware_download", "date_added": "2023-05-30", "tags": [ "32", "CoinMiner", "exe", "RedLineStealer" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780213038.1366086 }