{ "type": "Domain", "indicator": "timetrakr.cloud", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/timetrakr.cloud", "alexa": "http://www.alexa.com/siteinfo/timetrakr.cloud", "indicator": "timetrakr.cloud", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4355605431, "indicator": "timetrakr.cloud", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6a033220a0063c7c2a4f1d8f", "name": "Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign", "description": "Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.", "modified": "2026-05-12T16:42:48.058000", "created": "2026-05-12T13:58:56.758000", "tags": [ "iran", "espionage", "mois", "credential-theft", "dll-sideloading", "muddywater", "chromelevator", "seedworm" ], "references": [ "https://www.security.com/threat-intelligence/iran-seedworm-electronics" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "Argentina", "Bahrain", "Brazil", "Chile", "Colombia", "Indonesia", "Kuwait", "Malaysia", "Mexico", "Oman", "Philippines", "Qatar", "Saudi Arabia", "Singapore", "Thailand", "United Arab Emirates" ], "malware_families": [ { "id": "ChromElevator", "display_name": "ChromElevator", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Manufacturing", "Electronics", "Government", "Transportation", "Finance", "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386462, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552237, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c081afa2bd54a9599b7c07", "name": "PhishDestroy \u2014 Active Phishing & Crypto Scam Domains", "description": "Real-time feed of phishing, crypto drainer, and scam domains detected by PhishDestroy (phishdestroy.io). Updated hourly. 108K+ domains tracked, 55K+ currently active. Source: github.com/phishdestroy/destroylist", "modified": "2026-05-24T00:00:03.049000", "created": "2026-03-22T23:56:29.438000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93266, "hostname": 57600 }, "indicator_count": 150866, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10c2349f66a6cd67167619", "name": "Blackfile\u2019s Cloud Extortion Operations Targets Organizations", "description": "Blackfile, officially tracked as UNC6671 by Google Threat Intelligence Group, terrorized global corporate cloud environments. The threat actor leveraged human engineering and technical exploitation to compromise over a dozen companies. UNC6671\u2019s threat model exposes a serious gap in security within corporate\u2019s still relying on legacy MFA and weak cloud access monitoring", "modified": "2026-05-22T20:53:08.892000", "created": "2026-05-22T20:53:08.892000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "hostname": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0954ff8b83b84d3ddeba4f", "name": "Seedworm Launches Global Espionage Campaign Abusing Signed Binaries and Node.js Orchestration", "description": "", "modified": "2026-05-17T05:41:19.930000", "created": "2026-05-17T05:41:19.930000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a051965374218e257ada3b3", "name": "Twitter Feed - 500mk500 - 13-05-2026", "description": "", "modified": "2026-05-14T00:37:57.486000", "created": "2026-05-14T00:37:57.486000", "tags": [ "APT" ], "references": [ "https://x.com/500mk500/status/2054642760339112203" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "hostname": 1, "domain": 2 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0408708f3b49cc2cf1627a", "name": "Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign", "description": "", "modified": "2026-05-13T05:13:20.548000", "created": "2026-05-13T05:13:20.548000", "tags": [ "iran", "espionage", "mois", "credential-theft", "dll-sideloading", "muddywater", "chromelevator", "seedworm" ], "references": [ "https://www.security.com/threat-intelligence/iran-seedworm-electronics" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "Argentina", "Bahrain", "Brazil", "Chile", "Colombia", "Indonesia", "Kuwait", "Malaysia", "Mexico", "Oman", "Philippines", "Qatar", "Saudi Arabia", "Singapore", "Thailand", "United Arab Emirates" ], "malware_families": [ { "id": "ChromElevator", "display_name": "ChromElevator", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Manufacturing", "Electronics", "Government", "Transportation", "Finance", "Education", "Technology" ], "TLP": "white", "cloned_from": "6a033220a0063c7c2a4f1d8f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03d7ad92e2dcaf81f97e0c", "name": "IOC - Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign", "description": "Iran-linked attackers spent a week inside the network of a major South Korean electronics manufacturer in February 2026, as part of a sprawling early-year espionage campaign affecting at least nine organizations across four continents. Other targets included government agencies and an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial-services provider, and educational institutions in multiple countries.", "modified": "2026-05-13T01:45:17.151000", "created": "2026-05-13T01:45:17.151000", "tags": [ "privilege", "credential", "socks5 proxy", "network iocs" ], "references": [ "https://www.security.com/threat-intelligence/iran-seedworm-electronics" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "URL": 4, "domain": 1, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs-MAY2.csv", "IOCs.csv", "https://x.com/500mk500/status/2054642760339112203", "https://www.security.com/threat-intelligence/iran-seedworm-electronics" ], "related": { "alienvault": { "adversary": [ "MuddyWater" ], "malware_families": [ "Chromelevator" ], "industries": [ "Finance", "Government", "Technology", "Electronics", "Education", "Transportation", "Manufacturing" ] }, "other": { "adversary": [ "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "MuddyWater" ], "malware_families": [ "Chromelevator" ], "industries": [ "Finance", "Government", "Technology", "Electronics", "Education", "Transportation", "Manufacturing" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6a033220a0063c7c2a4f1d8f", "name": "Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign", "description": "Iranian state-sponsored threat group Seedworm conducted a widespread espionage campaign in early 2026, compromising at least nine organizations across nine countries on four continents. Victims included a major South Korean electronics manufacturer, government agencies, an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions. The attackers utilized DLL sideloading techniques with legitimately signed Fortemedia and SentinelOne binaries to execute malicious payloads, deployed Node.js-based implants for orchestration, and employed multiple PowerShell scripts for reconnaissance, credential theft, and privilege escalation. Data exfiltration was conducted through public file-transfer service sendit.sh to blend malicious traffic with legitimate cloud services. The campaign demonstrates Seedworm's evolved tradecraft and expanded targeting beyond traditional Middle Eastern focus areas.", "modified": "2026-05-12T16:42:48.058000", "created": "2026-05-12T13:58:56.758000", "tags": [ "iran", "espionage", "mois", "credential-theft", "dll-sideloading", "muddywater", "chromelevator", "seedworm" ], "references": [ "https://www.security.com/threat-intelligence/iran-seedworm-electronics" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "Argentina", "Bahrain", "Brazil", "Chile", "Colombia", "Indonesia", "Kuwait", "Malaysia", "Mexico", "Oman", "Philippines", "Qatar", "Saudi Arabia", "Singapore", "Thailand", "United Arab Emirates" ], "malware_families": [ { "id": "ChromElevator", "display_name": "ChromElevator", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Manufacturing", "Electronics", "Government", "Transportation", "Finance", "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386462, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552237, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c081afa2bd54a9599b7c07", "name": "PhishDestroy \u2014 Active Phishing & Crypto Scam Domains", "description": "Real-time feed of phishing, crypto drainer, and scam domains detected by PhishDestroy (phishdestroy.io). Updated hourly. 108K+ domains tracked, 55K+ currently active. Source: github.com/phishdestroy/destroylist", "modified": "2026-05-24T00:00:03.049000", "created": "2026-03-22T23:56:29.438000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93266, "hostname": 57600 }, "indicator_count": 150866, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10c2349f66a6cd67167619", "name": "Blackfile\u2019s Cloud Extortion Operations Targets Organizations", "description": "Blackfile, officially tracked as UNC6671 by Google Threat Intelligence Group, terrorized global corporate cloud environments. The threat actor leveraged human engineering and technical exploitation to compromise over a dozen companies. UNC6671\u2019s threat model exposes a serious gap in security within corporate\u2019s still relying on legacy MFA and weak cloud access monitoring", "modified": "2026-05-22T20:53:08.892000", "created": "2026-05-22T20:53:08.892000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "hostname": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0954ff8b83b84d3ddeba4f", "name": "Seedworm Launches Global Espionage Campaign Abusing Signed Binaries and Node.js Orchestration", "description": "", "modified": "2026-05-17T05:41:19.930000", "created": "2026-05-17T05:41:19.930000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a051965374218e257ada3b3", "name": "Twitter Feed - 500mk500 - 13-05-2026", "description": "", "modified": "2026-05-14T00:37:57.486000", "created": "2026-05-14T00:37:57.486000", "tags": [ "APT" ], "references": [ "https://x.com/500mk500/status/2054642760339112203" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "hostname": 1, "domain": 2 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0408708f3b49cc2cf1627a", "name": "Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign", "description": "", "modified": "2026-05-13T05:13:20.548000", "created": "2026-05-13T05:13:20.548000", "tags": [ "iran", "espionage", "mois", "credential-theft", "dll-sideloading", "muddywater", "chromelevator", "seedworm" ], "references": [ "https://www.security.com/threat-intelligence/iran-seedworm-electronics" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "Argentina", "Bahrain", "Brazil", "Chile", "Colombia", "Indonesia", "Kuwait", "Malaysia", "Mexico", "Oman", "Philippines", "Qatar", "Saudi Arabia", "Singapore", "Thailand", "United Arab Emirates" ], "malware_families": [ { "id": "ChromElevator", "display_name": "ChromElevator", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Manufacturing", "Electronics", "Government", "Transportation", "Finance", "Education", "Technology" ], "TLP": "white", "cloned_from": "6a033220a0063c7c2a4f1d8f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03d7ad92e2dcaf81f97e0c", "name": "IOC - Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign", "description": "Iran-linked attackers spent a week inside the network of a major South Korean electronics manufacturer in February 2026, as part of a sprawling early-year espionage campaign affecting at least nine organizations across four continents. Other targets included government agencies and an international airport in the Middle East, Southeast Asian industrial manufacturers, a Latin American financial-services provider, and educational institutions in multiple countries.", "modified": "2026-05-13T01:45:17.151000", "created": "2026-05-13T01:45:17.151000", "tags": [ "privilege", "credential", "socks5 proxy", "network iocs" ], "references": [ "https://www.security.com/threat-intelligence/iran-seedworm-electronics" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "URL": 4, "domain": 1, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "timetrakr.cloud", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "timetrakr.cloud", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780185479.3475811 }