{ "type": "Domain", "indicator": "tmcampos.pt", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/tmcampos.pt", "alexa": "http://www.alexa.com/siteinfo/tmcampos.pt", "indicator": "tmcampos.pt", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4027372794, "indicator": "tmcampos.pt", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "678e2eb12be20d7d671e681f", "name": "The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads", "description": "Cybercriminals are targeting Google Ads advertisers through phishing campaigns, impersonating Google Ads via fraudulent ads. The scheme involves stealing advertiser accounts by redirecting victims to fake login pages, with the goal of reselling these accounts on blackhat forums. The operation uses compromised accounts to perpetuate the campaign, affecting thousands of Google customers worldwide. Victims include individuals and businesses looking to advertise on Google Search. The attacks involve sophisticated techniques, including the use of Google Sites for impersonation and phishing kits to collect user data. Two main groups have been identified: one based in Brazil and another in Asia, possibly China. The stolen accounts are valuable for further malvertising campaigns, scams, and malware distribution.", "modified": "2025-01-20T11:09:30.926000", "created": "2025-01-20T11:08:33.187000", "tags": [ "phishing", "advertising fraud", "malvertising" ], "references": [ "https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Paraguay", "Brazil", "Hong Kong", "China", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Technology", "Advertising" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 386461, "modified_text": "495 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1b72bd18090978dc0fa0e", "name": "The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads", "description": "", "modified": "2025-02-04T06:43:55.767000", "created": "2025-02-04T06:43:55.767000", "tags": [ "phishing", "advertising fraud", "malvertising" ], "references": [ "https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Paraguay", "Brazil", "Hong Kong", "China", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Technology", "Advertising" ], "TLP": "white", "cloned_from": "678e2eb12be20d7d671e681f", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "480 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678cfb6d4a2a7c1922d6e9f2", "name": "Hackers Use Google Search Ads to Promote Phishing Sites", "description": "Hackers Use Google Search Ads to Promote Phishing Sites", "modified": "2025-01-19T13:17:33.706000", "created": "2025-01-19T13:17:33.706000", "tags": [ "classification", "confidential", "cyber", "threat", "january", "time", "crypto cyber", "defence", "urls" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "496 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678912ba82edfa63dab8abbd", "name": "Attackers Use Fake Google Ads to Steal Google Ad Accounts", "description": "This blog post from Malwarebytes analyzes a malvertising campaign where cybercriminals use fake Google Ads to phish organizations and steal their advertiser account credentials. The widespread nature of this operation poses significant risks, including unauthorized access to advertising budgets and the potential dissemination of additional malware or scams. The attack begins with a fraudulent ad that mimics a legitimate Google Ad, leading victims to a phishing page hosted on Google Sites that closely resemble authentic Google login pages. Once credentials are obtained, these accounts are either sold on blackhat forums or exploited to further propagate malicious advertising campaigns. Cybersecurity professionals are advised to implement multifactor authentication (MFA) for all advertising accounts, educate users about the dangers of clicking on sponsored search results, and monitor for unusual account activity to mitigate these threats.", "modified": "2025-01-16T14:07:54.672000", "created": "2025-01-16T14:07:54.672000", "tags": [ "threattype/malvertising", "threattype/credential theft" ], "references": [ "https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "499 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67890247d6312e1835cdd70d", "name": "The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads | Malwarebytes", "description": "Online criminals are targeting individuals and businesses that advertise on Google Search by phishing them for their credentials via fraudulent Google Ads, according to research by Malwarebytes.com, an anti-virus company.", "modified": "2025-01-16T12:57:43.419000", "created": "2025-01-16T12:57:43.419000", "tags": [ "google ads", "google", "google sites", "figure", "google account", "google search", "reddit", "brazil", "google ad", "javascript code", "phishing", "paraguay", "bluesky", "brazilian", "beware", "hello" ], "references": [ "https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 16, "URL": 55 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "499 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "LockBit Ransomware Attack Leveraging Cobalt Strike", "Visual Studio Code Remote tunnels", "Shadowroot Ransomware", "Rspack_Compromised_Packages", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "Fake game sites lead to information stealers", "PUMAKIT", "OtterCookie used by Contagious Interview", "APT36", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "HawkEye Malware", "GamaCopy APT Group Mimicking GamaRedon", "Glove-Stealer", "AsyncRAT Reloaded", "horns-hooves", "Christmas-Themed LNK Files Used for Malware Delivery", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "Silent Skimmer Gets Loud (Again)", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "Fake Discount Sites Exploit Black Friday", "Advanced Evasion Techniques Used by NonEuclid RAT", "play ransomware", "Espionage Campaign Targeting South Asian Entities", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "Sock5Systemz-PROXY-AM", "MintsLoader_Stealc", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "The Return of PlugX Malware with Fresh Tricks", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "HotPage.exe (malware)", "BrazenBamboo", "NetSupport RAT and BurnsRAT", "babbleloader", "Remcos RAT", "macOS Users Targeted by the New Variant of Banshee Infostealer", "ELDORADO RANSOMWARE", "Weaponized Software Targeting Chinese Organizations", "Bumblebee Malware", "DarkGate", "Winos4.0 RAT", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Stealers on the Rise", "Python NodeStealer", "BugSleep Malware", "RustyStealer and New Ymir Ransomware", "MALLOX RANSOMWARE", "SystemBC RAT Poses New Risks to Linux System", "CloudScout_ Evasive Panda scouting cloud services", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Snake Keylogger", "romcom-exploits-firefox-and-windows", "Gh0stGambit", "FatalRAT", "TAG-100", "Hundreds of fake Reddit sites push Lumma Stealer malware", "LegionLoader Malware Expands Global Reach", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Rockstar-Phishing", "WezRat Malware", "PyPI-AIOCPA", "The New Ransomware Menace Vgod Gains Momentum", "PXA Stealer", "RansomHub Affiliate leverages Python-based backdoor", "solana-backdoor", "Salt Typhoon Target U.S. Telecom Networks", "https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads", "Demodex rootkit", "SpyGlace", "Helldown Ransomware", "NEW.txt", "ACR Stealer", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "UAC-0185 attacks warned by CERT-UA", "SteelFox Trojan", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "From Stealers to Ransomware PureCrypter Delivers It All", "clickfix-tactic", "BellaCpp", "Avast-Anti-Root-KIt", "Cloud Atlas seen using a new tool in its attacks", "Qilin Ransomware", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Bootkitty", "U.S. Organization in China Targeted by Attackers", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "Ransomware-Lockbit3-IOCs.csv", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "MirrorFace Campain", "bootkitty(logofail)", "Microsoft Advertisers Phished via Malicious Google Ads", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "MEKOTIO BANKING TROJAN", "SecTopRAT", "Bitter APT", "NOOPDOOR Malware", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "WolfsBane Backdoor", "Phobos ransomware", "Threat Surge as Lumma Stealer Expands Its Reach", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "SmokeLoader", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "APT-K-47", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "Akira Ransomware", "MUT-1244-GitHub" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Advertising", "Technology" ] }, "other": { "adversary": [ "CryptoGen Cyber Threat Intelligence Advisory" ], "malware_families": [ "Vant", "Invisibleferret", "Trojanspy", "Mekotio banking", "Msi" ], "industries": [ "Advertising", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "678e2eb12be20d7d671e681f", "name": "The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads", "description": "Cybercriminals are targeting Google Ads advertisers through phishing campaigns, impersonating Google Ads via fraudulent ads. The scheme involves stealing advertiser accounts by redirecting victims to fake login pages, with the goal of reselling these accounts on blackhat forums. The operation uses compromised accounts to perpetuate the campaign, affecting thousands of Google customers worldwide. Victims include individuals and businesses looking to advertise on Google Search. The attacks involve sophisticated techniques, including the use of Google Sites for impersonation and phishing kits to collect user data. Two main groups have been identified: one based in Brazil and another in Asia, possibly China. The stolen accounts are valuable for further malvertising campaigns, scams, and malware distribution.", "modified": "2025-01-20T11:09:30.926000", "created": "2025-01-20T11:08:33.187000", "tags": [ "phishing", "advertising fraud", "malvertising" ], "references": [ "https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Paraguay", "Brazil", "Hong Kong", "China", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Technology", "Advertising" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 386461, "modified_text": "495 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1b72bd18090978dc0fa0e", "name": "The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads", "description": "", "modified": "2025-02-04T06:43:55.767000", "created": "2025-02-04T06:43:55.767000", "tags": [ "phishing", "advertising fraud", "malvertising" ], "references": [ "https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Paraguay", "Brazil", "Hong Kong", "China", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Technology", "Advertising" ], "TLP": "white", "cloned_from": "678e2eb12be20d7d671e681f", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "480 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678cfb6d4a2a7c1922d6e9f2", "name": "Hackers Use Google Search Ads to Promote Phishing Sites", "description": "Hackers Use Google Search Ads to Promote Phishing Sites", "modified": "2025-01-19T13:17:33.706000", "created": "2025-01-19T13:17:33.706000", "tags": [ "classification", "confidential", "cyber", "threat", "january", "time", "crypto cyber", "defence", "urls" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "496 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678912ba82edfa63dab8abbd", "name": "Attackers Use Fake Google Ads to Steal Google Ad Accounts", "description": "This blog post from Malwarebytes analyzes a malvertising campaign where cybercriminals use fake Google Ads to phish organizations and steal their advertiser account credentials. The widespread nature of this operation poses significant risks, including unauthorized access to advertising budgets and the potential dissemination of additional malware or scams. The attack begins with a fraudulent ad that mimics a legitimate Google Ad, leading victims to a phishing page hosted on Google Sites that closely resemble authentic Google login pages. Once credentials are obtained, these accounts are either sold on blackhat forums or exploited to further propagate malicious advertising campaigns. Cybersecurity professionals are advised to implement multifactor authentication (MFA) for all advertising accounts, educate users about the dangers of clicking on sponsored search results, and monitor for unusual account activity to mitigate these threats.", "modified": "2025-01-16T14:07:54.672000", "created": "2025-01-16T14:07:54.672000", "tags": [ "threattype/malvertising", "threattype/credential theft" ], "references": [ "https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "499 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67890247d6312e1835cdd70d", "name": "The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads | Malwarebytes", "description": "Online criminals are targeting individuals and businesses that advertise on Google Search by phishing them for their credentials via fraudulent Google Ads, according to research by Malwarebytes.com, an anti-virus company.", "modified": "2025-01-16T12:57:43.419000", "created": "2025-01-16T12:57:43.419000", "tags": [ "google ads", "google", "google sites", "figure", "google account", "google search", "reddit", "brazil", "google ad", "javascript code", "phishing", "paraguay", "bluesky", "brazilian", "beware", "hello" ], "references": [ "https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 16, "URL": 55 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "499 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "tmcampos.pt", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "tmcampos.pt", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780185952.553014 }