{ "type": "Domain", "indicator": "thirdmetrics.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/thirdmetrics.com", "alexa": "http://www.alexa.com/siteinfo/thirdmetrics.com", "indicator": "thirdmetrics.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4115752384, "indicator": "thirdmetrics.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6a1ab6efb8f3c8da4f6b358c", "name": "GREYVIBE Threat Actor: TTPs, Malware, and Infrastructure Analysis.", "description": "GREYVIBE is a cyber threat actor identified by WithSecure, primarily targeting Ukraine and entities related to Ukraine since August 2025. The group's activities show significant overlaps in their attack infrastructure and operational methodologies, which indicate a persistent campaign aligned with Russian state interests, especially in the context of the Russia-Ukraine war. GREYVIBE's operations have been characterized by the use of various attack vectors, including spear-phishing emails, fake captcha pages, and fraudulent websites impersonating Ukrainian organizations. These methods have facilitated the distribution of malware, predominantly custom-developed variants like PhantomRelay, FallSpy, and LegionRelay.", "modified": "2026-05-30T10:12:00.827000", "created": "2026-05-30T10:07:43.020000", "tags": [ "research", "whitepaper", "mohammad kazem hassan nejad", "2026", "powershell", "fallspy", "legionrelay", "lookvalps", "lookvaljs", "javascript", "daylight", "teasoup", "android spyware", "august", "telegram", "dronelink", "princessclub", "phantomrelayv1", "greyvibe", "domain name", "phantommail", "sha256", "domain", "development", "phantomclick", "club site", "teams", "kongtuke", "april", "nsis", "service", "impacket" ], "references": [ "https://labs.withsecure.com/publications/greyvibe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LegionRelay", "display_name": "LegionRelay", "target": null }, { "id": "DroneLink", "display_name": "DroneLink", "target": null }, { "id": "PrincessClub", "display_name": "PrincessClub", "target": null }, { "id": "PhantomRelayV1", "display_name": "PhantomRelayV1", "target": null }, { "id": "LOOKVALJS", "display_name": "LOOKVALJS", "target": null }, { "id": "GREYVIBE", "display_name": "GREYVIBE", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Military", "Government", "Energy" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55, "FileHash-MD5": 14, "FileHash-SHA1": 13, "FileHash-SHA256": 67, "IPv4": 9, "URL": 3, "hostname": 4 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68946f6c9c13a846275a46ef", "name": "Help Desk Impersonation Over Teams", "description": "IOCs relating to an incident where the attacker attempts to gain access to a user's workstation through a social engineering attack, impersonating IT support over Microsoft Teams and initiating a remote session via Quick Assist. \n\nOnce connected, they use PowerShell to execute a memory-resident implant that established encrypted outbound communication with a command-and-control (C2) server. The attacker staged and exfiltrated host profiling data and set up a modular execution environment, allowing dynamic tasking from their C2 infrastructure. \n\nThe attack was contained to a single host, with no evidence of persistence or lateral movement at this stage. The actor demonstrated a reasonable level sophistication and operational security, consistent with current tactics used by access brokers or ransomware gangs in the early stages of financially-motivated criminal attacks.", "modified": "2025-09-06T09:02:46.990000", "created": "2025-08-07T09:18:36.765000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [ "Construction" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "protossoc", "id": "117618", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_117618/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "email": 1, "URL": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://labs.withsecure.com/publications/greyvibe" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Greyvibe", "Lookvaljs", "Dronelink", "Legionrelay", "Princessclub", "Phantomrelayv1" ], "industries": [ "Government", "Military", "Construction", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6a1ab6efb8f3c8da4f6b358c", "name": "GREYVIBE Threat Actor: TTPs, Malware, and Infrastructure Analysis.", "description": "GREYVIBE is a cyber threat actor identified by WithSecure, primarily targeting Ukraine and entities related to Ukraine since August 2025. The group's activities show significant overlaps in their attack infrastructure and operational methodologies, which indicate a persistent campaign aligned with Russian state interests, especially in the context of the Russia-Ukraine war. GREYVIBE's operations have been characterized by the use of various attack vectors, including spear-phishing emails, fake captcha pages, and fraudulent websites impersonating Ukrainian organizations. These methods have facilitated the distribution of malware, predominantly custom-developed variants like PhantomRelay, FallSpy, and LegionRelay.", "modified": "2026-05-30T10:12:00.827000", "created": "2026-05-30T10:07:43.020000", "tags": [ "research", "whitepaper", "mohammad kazem hassan nejad", "2026", "powershell", "fallspy", "legionrelay", "lookvalps", "lookvaljs", "javascript", "daylight", "teasoup", "android spyware", "august", "telegram", "dronelink", "princessclub", "phantomrelayv1", "greyvibe", "domain name", "phantommail", "sha256", "domain", "development", "phantomclick", "club site", "teams", "kongtuke", "april", "nsis", "service", "impacket" ], "references": [ "https://labs.withsecure.com/publications/greyvibe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LegionRelay", "display_name": "LegionRelay", "target": null }, { "id": "DroneLink", "display_name": "DroneLink", "target": null }, { "id": "PrincessClub", "display_name": "PrincessClub", "target": null }, { "id": "PhantomRelayV1", "display_name": "PhantomRelayV1", "target": null }, { "id": "LOOKVALJS", "display_name": "LOOKVALJS", "target": null }, { "id": "GREYVIBE", "display_name": "GREYVIBE", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Military", "Government", "Energy" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55, "FileHash-MD5": 14, "FileHash-SHA1": 13, "FileHash-SHA256": 67, "IPv4": 9, "URL": 3, "hostname": 4 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68946f6c9c13a846275a46ef", "name": "Help Desk Impersonation Over Teams", "description": "IOCs relating to an incident where the attacker attempts to gain access to a user's workstation through a social engineering attack, impersonating IT support over Microsoft Teams and initiating a remote session via Quick Assist. \n\nOnce connected, they use PowerShell to execute a memory-resident implant that established encrypted outbound communication with a command-and-control (C2) server. The attacker staged and exfiltrated host profiling data and set up a modular execution environment, allowing dynamic tasking from their C2 infrastructure. \n\nThe attack was contained to a single host, with no evidence of persistence or lateral movement at this stage. The actor demonstrated a reasonable level sophistication and operational security, consistent with current tactics used by access brokers or ransomware gangs in the early stages of financially-motivated criminal attacks.", "modified": "2025-09-06T09:02:46.990000", "created": "2025-08-07T09:18:36.765000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [ "Construction" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "protossoc", "id": "117618", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_117618/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "email": 1, "URL": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "thirdmetrics.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "thirdmetrics.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780293718.11773 }