{ "type": "Domain", "indicator": "thriddata.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/thriddata.com", "alexa": "http://www.alexa.com/siteinfo/thriddata.com", "indicator": "thriddata.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4333690950, "indicator": "thriddata.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a066c749aa35a9b1f0af246", "name": "Decryption Digest Threat Intelligence", "description": "Curated IOC feed from Decryption Digest (decryptiondigest.com) \u2014 practitioner-level cybersecurity threat intelligence covering malware, ransomware, phishing, and advanced persistent threats.", "modified": "2026-05-30T12:20:13.434000", "created": "2026-05-15T00:44:34.237000", "tags": [ "BlueNoroff", "APT", "DPRK", "c2", "credential-stealer", "ShinyHunters", "UNC6661", "data-extortion", "vishing", "data-exfiltration", "AI phishing", "ValleyRAT", "Silver Fox", "UTG-Q-1000", "ABCDoor", "China APT", "tax phishing", "Okta credential theft", "SaaS extortion", "UNC6671", "SSO phishing", "marimo RCE", "AWS credential replay", "autonomous attack", "CVE-2026-39987", "LLM agent", "post-exploitation", "Cloudflare Workers egress", "lateral movement" ], "references": [ "https://www.decryptiondigest.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "thebangster", "id": "405150", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "domain": 18, "hostname": 9, "FileHash-SHA256": 17 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f33e7bd3afa0cf45245a5c", "name": "BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector", "description": "BlueNoroff, a financially motivated subgroup of North Korea's Lazarus Group, recently executed a series of sophisticated cyberattacks targeting the Web3/cryptocurrency sector. These attacks utilized innovative techniques including fileless PowerShell methods and social engineering tactics such as impersonating respected individuals in the fintech space to deliver manipulated invites for fake Zoom meetings.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:35:23.992000", "tags": [ "bluenoroff", "zoom", "arctic wolf", "temp", "teams", "telegram", "january", "kaspersky", "web3", "ai generation", "wolf", "click", "screencapture", "february", "screen", "media", "powershell", "friday", "theft", "path", "june", "cageychameleon", "crypto", "face", "king", "beyond", "copy", "payload", "stages", "download", "implant", "arch", "target", "persistence", "capture", "verify", "virustotal", "arctic", "inside", "lazarus", "windows clickfix", "aes-256-cbc", "http", "huntress", "json" ], "references": [ "https://arcticwolf.com/resources/blog-uk/bluenoroff-uses-clickfix-fileless-powershell-ai-generated-fake-zoom-meetings-to-target-web3-sector/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "Cryptocurrency", "Finance", "Investment", "Financial", "Crypto", "Journalists", "Social Engineering" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 6, "URL": 10, "domain": 12, "hostname": 11 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f2c4f766f380604aeef43d", "name": "IOC - BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector", "description": "Arctic Wolf has identified a targeted intrusion against a North American Web3/cryptocurrency company, which we attribute with a high confidence level to BlueNoroff, a financially motivated subgroup of DPRK\u2019s Lazarus Group.", "modified": "2026-05-30T02:01:40.425000", "created": "2026-04-30T02:56:55.542000", "tags": [ "sha256", "uri path", "stage", "post", "telegram bot", "chat id", "runtimecompiled", "domain phishing", "payload", "url full", "zoom typosquat", "powershell", "browser", "aes payload", "screenshots", "c2 beacon" ], "references": [ "https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "domain": 11, "hostname": 9, "URL": 7 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f1d32e6b8143fd0e42df04", "name": "BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector - Arctic Wolf", "description": "What do you need to know about security operations and response to cyber attacks and breaches at a global scale, and how can you get them back on track in less than a week? \u00c2", "modified": "2026-05-29T09:15:14.868000", "created": "2026-04-29T09:45:18.804000", "tags": [], "references": [ "https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Hong Kong", "Korea, Democratic People's Republic of" ], "malware_families": [ { "id": "Windows ClickFix", "display_name": "Windows ClickFix", "target": null }, { "id": "AES-256-CBC", "display_name": "AES-256-CBC", "target": null }, { "id": "HTTP", "display_name": "HTTP", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "Cryptocurrency", "Finance", "Investment", "Financial", "Crypto", "Journalists", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 6, "URL": 10, "domain": 12, "hostname": 11 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.decryptiondigest.com", "https://arcticwolf.com/resources/blog-uk/bluenoroff-uses-clickfix-fileless-powershell-ai-generated-fake-zoom-meetings-to-target-web3-sector/", "https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Lazarus", "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [ "Huntress", "Windows clickfix", "Aes-256-cbc", "Http", "Json" ], "industries": [ "Journalists", "Finance", "Social engineering", "Investment", "Cryptocurrency", "Financial", "Media", "Crypto" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a066c749aa35a9b1f0af246", "name": "Decryption Digest Threat Intelligence", "description": "Curated IOC feed from Decryption Digest (decryptiondigest.com) \u2014 practitioner-level cybersecurity threat intelligence covering malware, ransomware, phishing, and advanced persistent threats.", "modified": "2026-05-30T12:20:13.434000", "created": "2026-05-15T00:44:34.237000", "tags": [ "BlueNoroff", "APT", "DPRK", "c2", "credential-stealer", "ShinyHunters", "UNC6661", "data-extortion", "vishing", "data-exfiltration", "AI phishing", "ValleyRAT", "Silver Fox", "UTG-Q-1000", "ABCDoor", "China APT", "tax phishing", "Okta credential theft", "SaaS extortion", "UNC6671", "SSO phishing", "marimo RCE", "AWS credential replay", "autonomous attack", "CVE-2026-39987", "LLM agent", "post-exploitation", "Cloudflare Workers egress", "lateral movement" ], "references": [ "https://www.decryptiondigest.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "thebangster", "id": "405150", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "domain": 18, "hostname": 9, "FileHash-SHA256": 17 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f33e7bd3afa0cf45245a5c", "name": "BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector", "description": "BlueNoroff, a financially motivated subgroup of North Korea's Lazarus Group, recently executed a series of sophisticated cyberattacks targeting the Web3/cryptocurrency sector. These attacks utilized innovative techniques including fileless PowerShell methods and social engineering tactics such as impersonating respected individuals in the fintech space to deliver manipulated invites for fake Zoom meetings.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:35:23.992000", "tags": [ "bluenoroff", "zoom", "arctic wolf", "temp", "teams", "telegram", "january", "kaspersky", "web3", "ai generation", "wolf", "click", "screencapture", "february", "screen", "media", "powershell", "friday", "theft", "path", "june", "cageychameleon", "crypto", "face", "king", "beyond", "copy", "payload", "stages", "download", "implant", "arch", "target", "persistence", "capture", "verify", "virustotal", "arctic", "inside", "lazarus", "windows clickfix", "aes-256-cbc", "http", "huntress", "json" ], "references": [ "https://arcticwolf.com/resources/blog-uk/bluenoroff-uses-clickfix-fileless-powershell-ai-generated-fake-zoom-meetings-to-target-web3-sector/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "Cryptocurrency", "Finance", "Investment", "Financial", "Crypto", "Journalists", "Social Engineering" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 6, "URL": 10, "domain": 12, "hostname": 11 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f2c4f766f380604aeef43d", "name": "IOC - BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector", "description": "Arctic Wolf has identified a targeted intrusion against a North American Web3/cryptocurrency company, which we attribute with a high confidence level to BlueNoroff, a financially motivated subgroup of DPRK\u2019s Lazarus Group.", "modified": "2026-05-30T02:01:40.425000", "created": "2026-04-30T02:56:55.542000", "tags": [ "sha256", "uri path", "stage", "post", "telegram bot", "chat id", "runtimecompiled", "domain phishing", "payload", "url full", "zoom typosquat", "powershell", "browser", "aes payload", "screenshots", "c2 beacon" ], "references": [ "https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "domain": 11, "hostname": 9, "URL": 7 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f1d32e6b8143fd0e42df04", "name": "BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector - Arctic Wolf", "description": "What do you need to know about security operations and response to cyber attacks and breaches at a global scale, and how can you get them back on track in less than a week? \u00c2", "modified": "2026-05-29T09:15:14.868000", "created": "2026-04-29T09:45:18.804000", "tags": [], "references": [ "https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Hong Kong", "Korea, Democratic People's Republic of" ], "malware_families": [ { "id": "Windows ClickFix", "display_name": "Windows ClickFix", "target": null }, { "id": "AES-256-CBC", "display_name": "AES-256-CBC", "target": null }, { "id": "HTTP", "display_name": "HTTP", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "Cryptocurrency", "Finance", "Investment", "Financial", "Crypto", "Journalists", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 6, "URL": 10, "domain": 12, "hostname": 11 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "thriddata.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "thriddata.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780176085.3394773 }