{ "type": "Domain", "indicator": "thesecurevpn.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/thesecurevpn.com", "alexa": "http://www.alexa.com/siteinfo/thesecurevpn.com", "indicator": "thesecurevpn.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3367017436, "indicator": "thesecurevpn.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "63809fb03dacd453ae69d37b", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps", "description": "ESET researchers have identified an active campaign by the Bahamut cybermercenary group, which targets Android users with fake VPN apps, and can extract sensitive data from their victims\u2019 messaging apps.", "modified": "2022-11-25T10:57:51.711000", "created": "2022-11-25T10:57:51.711000", "tags": [ "bahamut", "apt", "android" ], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "Bahamut", "targeted_countries": [], "malware_families": [ { "id": "Bahamut Spyware", "display_name": "Bahamut Spyware", "target": null } ], "attack_ids": [ { "id": "T1398", "name": "Modify OS Kernel or Boot Partition", "display_name": "T1398 - Modify OS Kernel or Boot Partition" }, { "id": "T1420", "name": "File and Directory Discovery", "display_name": "T1420 - File and Directory Discovery" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1532", "name": "Data Encrypted", "display_name": "T1532 - Data Encrypted" }, { "id": "T1437", "name": "Standard Application Layer Protocol", "display_name": "T1437 - Standard Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 426, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387190, "modified_text": "1286 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "637f72e49231d447f2f11b91", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut cybermercenary group, which they believe is a well-established and highly targeted cyber-espionage group.", "modified": "2022-12-01T03:03:45.314000", "created": "2022-11-24T13:34:28.527000", "tags": [ "APT", "Bahamut" ], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bahamut", "display_name": "Bahamut", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sunqiang", "id": "57272", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_57272/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "637f72521f0b41ad3bf79630", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "ESET researchers have identified an active campaign targeting Android users with fake VPN apps, conducted by the Bahamut cybermercenary group, which is believed to be operating in the Middle East and South Asia.", "modified": "2022-12-01T02:58:16.389000", "created": "2022-11-24T13:32:02.698000", "tags": [], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sunqiang", "id": "57272", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_57272/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6380f229bde8988c74e09554", "name": "Bahamut APT group uses fake VPN apps to target android users", "description": "", "modified": "2022-11-25T16:49:45.145000", "created": "2022-11-25T16:49:45.145000", "tags": [], "references": [ "November 25th, 2022 - CryptoGen Cyber Threat Intelligence - Bahamut APT group uses fake VPN apps to target android users.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1286 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6380ab76ce2b465a1d0c2f0c", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "ESET researchers have identified an active campaign by the Bahamut cybermercenary group, which targets Android users with fake VPN apps, and can extract sensitive data from their victims\u2019 messaging apps.", "modified": "2022-11-25T11:48:06.684000", "created": "2022-11-25T11:48:06.684000", "tags": [ "bahamut", "discovery bahamut", "securechat", "securevpn", "scripts bahamut", "keylogging bahamut", "tracking bahamut", "capture bahamut", "data bahamut", "list bahamut", "messages bahamut", "protocols bahamut", "channel bahamut", "bahamut spyware", "figure", "c server", "openvpn", "fake securevpn", "google play", "softvpn", "securevpn app", "viber", "android", "borges", "hunter", "twitter", "chat", "lazarus" ], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "Bahamut", "targeted_countries": [], "malware_families": [ { "id": "Channel Bahamut", "display_name": "Channel Bahamut", "target": null }, { "id": "Protocols Bahamut", "display_name": "Protocols Bahamut", "target": null }, { "id": "Messages Bahamut", "display_name": "Messages Bahamut", "target": null }, { "id": "List Bahamut", "display_name": "List Bahamut", "target": null }, { "id": "Data Bahamut", "display_name": "Data Bahamut", "target": null }, { "id": "Capture Bahamut", "display_name": "Capture Bahamut", "target": null }, { "id": "Tracking Bahamut", "display_name": "Tracking Bahamut", "target": null }, { "id": "Keylogging Bahamut", "display_name": "Keylogging Bahamut", "target": null }, { "id": "Scripts Bahamut", "display_name": "Scripts Bahamut", "target": null }, { "id": "SecureVPN", "display_name": "SecureVPN", "target": null }, { "id": "SecureChat", "display_name": "SecureChat", "target": null }, { "id": "Discovery Bahamut", "display_name": "Discovery Bahamut", "target": null }, { "id": "Bahamut", "display_name": "Bahamut", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1286 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63805d4ba27036d1cef7e359", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "", "modified": "2022-11-25T06:14:35.655000", "created": "2022-11-25T06:14:35.655000", "tags": [], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "638049029d7ee65958dbe1f2", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1286 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "638049029d7ee65958dbe1f2", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "", "modified": "2022-11-25T04:48:02.905000", "created": "2022-11-25T04:48:02.905000", "tags": [], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "637f72521f0b41ad3bf79630", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1286 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "637f72e5a1feb28bb8199336", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut cybermercenary group, which they believe is a well-established and highly targeted cyber-espionage group.", "modified": "2022-11-24T13:34:29.051000", "created": "2022-11-24T13:34:29.051000", "tags": [ "APT", "Bahamut" ], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bahamut", "display_name": "Bahamut", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sunqiang", "id": "57272", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_57272/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1287 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62075745be5c9f4a70cef37d", "name": "NewDom-5-20220212", "description": "ICANN-Dom", "modified": "2022-03-29T00:03:34.773000", "created": "2022-02-12T06:44:21.020000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1527 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6204bace8fcf173102b35e31", "name": "NewDom-5-20220210", "description": "ICANN-Dom", "modified": "2022-03-27T00:00:39.057000", "created": "2022-02-10T07:12:14.031000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 203, "modified_text": "1529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "620371930ae3d919c628dd06", "name": "NewDom-5-20220209", "description": "ICANN-Dom", "modified": "2022-03-26T00:05:56.150000", "created": "2022-02-09T07:47:31.284000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "620226ca58c690936df7cf55", "name": "NewDom-5-20220208", "description": "ICANN-Dom", "modified": "2022-03-25T00:03:52.440000", "created": "2022-02-08T08:16:10.069000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1531 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "62013ba4b1f8f0acd5ecb005", "name": "NewDom-5-20220207", "description": "ICANN-Dom", "modified": "2022-03-24T00:00:00.271000", "created": "2022-02-07T15:32:52.388000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1532 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "61fcf7a4a18b40cc3cb9f1ae", "name": "NewDom-5-20220204", "description": "ICANN-Dom", "modified": "2022-03-21T00:02:26.523000", "created": "2022-02-04T09:53:40.645000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "61fb94e0e9045bd4540a0be2", "name": "NewDom-5-20220203", "description": "ICANN-Dom", "modified": "2022-03-20T00:00:30.992000", "created": "2022-02-03T08:40:00.205000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1536 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "61fa9181a206d7fe64d91f4c", "name": "NewDom-5-20220202", "description": "ICANN-Dom", "modified": "2022-03-19T00:01:05.858000", "created": "2022-02-02T14:13:21.483000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1537 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "61f78ec58e863182c6f9c384", "name": "NewDom-5-20220131", "description": "ICANN-Dom", "modified": "2022-03-17T00:01:08.614000", "created": "2022-01-31T07:24:53.204000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1539 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "November 25th, 2022 - CryptoGen Cyber Threat Intelligence - Bahamut APT group uses fake VPN apps to target android users.pdf", "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "related": { "alienvault": { "adversary": [ "Bahamut" ], "malware_families": [ "Bahamut spyware" ], "industries": [] }, "other": { "adversary": [ "Bahamut" ], "malware_families": [ "Securevpn", "Messages bahamut", "Bahamut", "Discovery bahamut", "Protocols bahamut", "Scripts bahamut", "Data bahamut", "Keylogging bahamut", "Securechat", "Tracking bahamut", "List bahamut", "Channel bahamut", "Capture bahamut" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "63809fb03dacd453ae69d37b", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps", "description": "ESET researchers have identified an active campaign by the Bahamut cybermercenary group, which targets Android users with fake VPN apps, and can extract sensitive data from their victims\u2019 messaging apps.", "modified": "2022-11-25T10:57:51.711000", "created": "2022-11-25T10:57:51.711000", "tags": [ "bahamut", "apt", "android" ], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "Bahamut", "targeted_countries": [], "malware_families": [ { "id": "Bahamut Spyware", "display_name": "Bahamut Spyware", "target": null } ], "attack_ids": [ { "id": "T1398", "name": "Modify OS Kernel or Boot Partition", "display_name": "T1398 - Modify OS Kernel or Boot Partition" }, { "id": "T1420", "name": "File and Directory Discovery", "display_name": "T1420 - File and Directory Discovery" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1532", "name": "Data Encrypted", "display_name": "T1532 - Data Encrypted" }, { "id": "T1437", "name": "Standard Application Layer Protocol", "display_name": "T1437 - Standard Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 426, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387190, "modified_text": "1286 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "637f72e49231d447f2f11b91", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut cybermercenary group, which they believe is a well-established and highly targeted cyber-espionage group.", "modified": "2022-12-01T03:03:45.314000", "created": "2022-11-24T13:34:28.527000", "tags": [ "APT", "Bahamut" ], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bahamut", "display_name": "Bahamut", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sunqiang", "id": "57272", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_57272/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "637f72521f0b41ad3bf79630", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "ESET researchers have identified an active campaign targeting Android users with fake VPN apps, conducted by the Bahamut cybermercenary group, which is believed to be operating in the Middle East and South Asia.", "modified": "2022-12-01T02:58:16.389000", "created": "2022-11-24T13:32:02.698000", "tags": [], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sunqiang", "id": "57272", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_57272/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6380f229bde8988c74e09554", "name": "Bahamut APT group uses fake VPN apps to target android users", "description": "", "modified": "2022-11-25T16:49:45.145000", "created": "2022-11-25T16:49:45.145000", "tags": [], "references": [ "November 25th, 2022 - CryptoGen Cyber Threat Intelligence - Bahamut APT group uses fake VPN apps to target android users.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1286 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6380ab76ce2b465a1d0c2f0c", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "ESET researchers have identified an active campaign by the Bahamut cybermercenary group, which targets Android users with fake VPN apps, and can extract sensitive data from their victims\u2019 messaging apps.", "modified": "2022-11-25T11:48:06.684000", "created": "2022-11-25T11:48:06.684000", "tags": [ "bahamut", "discovery bahamut", "securechat", "securevpn", "scripts bahamut", "keylogging bahamut", "tracking bahamut", "capture bahamut", "data bahamut", "list bahamut", "messages bahamut", "protocols bahamut", "channel bahamut", "bahamut spyware", "figure", "c server", "openvpn", "fake securevpn", "google play", "softvpn", "securevpn app", "viber", "android", "borges", "hunter", "twitter", "chat", "lazarus" ], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "Bahamut", "targeted_countries": [], "malware_families": [ { "id": "Channel Bahamut", "display_name": "Channel Bahamut", "target": null }, { "id": "Protocols Bahamut", "display_name": "Protocols Bahamut", "target": null }, { "id": "Messages Bahamut", "display_name": "Messages Bahamut", "target": null }, { "id": "List Bahamut", "display_name": "List Bahamut", "target": null }, { "id": "Data Bahamut", "display_name": "Data Bahamut", "target": null }, { "id": "Capture Bahamut", "display_name": "Capture Bahamut", "target": null }, { "id": "Tracking Bahamut", "display_name": "Tracking Bahamut", "target": null }, { "id": "Keylogging Bahamut", "display_name": "Keylogging Bahamut", "target": null }, { "id": "Scripts Bahamut", "display_name": "Scripts Bahamut", "target": null }, { "id": "SecureVPN", "display_name": "SecureVPN", "target": null }, { "id": "SecureChat", "display_name": "SecureChat", "target": null }, { "id": "Discovery Bahamut", "display_name": "Discovery Bahamut", "target": null }, { "id": "Bahamut", "display_name": "Bahamut", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1286 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63805d4ba27036d1cef7e359", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "", "modified": "2022-11-25T06:14:35.655000", "created": "2022-11-25T06:14:35.655000", "tags": [], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "638049029d7ee65958dbe1f2", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1286 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "638049029d7ee65958dbe1f2", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "", "modified": "2022-11-25T04:48:02.905000", "created": "2022-11-25T04:48:02.905000", "tags": [], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "637f72521f0b41ad3bf79630", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1286 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "637f72e5a1feb28bb8199336", "name": "Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity", "description": "ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut cybermercenary group, which they believe is a well-established and highly targeted cyber-espionage group.", "modified": "2022-11-24T13:34:29.051000", "created": "2022-11-24T13:34:29.051000", "tags": [ "APT", "Bahamut" ], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bahamut", "display_name": "Bahamut", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sunqiang", "id": "57272", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_57272/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1287 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62075745be5c9f4a70cef37d", "name": "NewDom-5-20220212", "description": "ICANN-Dom", "modified": "2022-03-29T00:03:34.773000", "created": "2022-02-12T06:44:21.020000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1527 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6204bace8fcf173102b35e31", "name": "NewDom-5-20220210", "description": "ICANN-Dom", "modified": "2022-03-27T00:00:39.057000", "created": "2022-02-10T07:12:14.031000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 203, "modified_text": "1529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "thesecurevpn.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "thesecurevpn.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780524759.835757 }