{ "type": "Domain", "indicator": "totallegacy.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/totallegacy.org", "alexa": "http://www.alexa.com/siteinfo/totallegacy.org", "indicator": "totallegacy.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4372261555, "indicator": "totallegacy.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a105530af26afbd3752ab81", "name": "Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload", "description": "Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.", "modified": "2026-05-25T09:47:41.792000", "created": "2026-05-22T13:08:00.327000", "tags": [ "vbcloud", "netsupport rat", "powershower", "reversesocks", "phantomheart", "valleyrat", "powercloud", "cloud atlas" ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "public": 1, "adversary": "Inception Framework", "targeted_countries": [ "Belarus", "Russian Federation" ], "malware_families": [ { "id": "PowerCloud", "display_name": "PowerCloud", "target": null }, { "id": "VBCloud", "display_name": "VBCloud", "target": null }, { "id": "PowerShower - S0441", "display_name": "PowerShower - S0441", "target": null }, { "id": "ReverseSocks", "display_name": "ReverseSocks", "target": null }, { "id": "PhantomHeart", "display_name": "PhantomHeart", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1558.003", "name": "Kerberoasting", "display_name": "T1558.003 - Kerberoasting" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 69, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 15, "domain": 23, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 386451, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552092, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "17 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a174c09390776ae4501284b", "name": "ACTIVIDAD MALICIOSA | Campa\u00f1a de Cloud Atlas APT: Modificaci\u00f3n de termsrv.dll para M\u00faltiples Sesiones RDP (2025-2026)", "description": "Cloud Atlas, un grupo APT activo desde al menos 2014, ha sido detectado utilizando una t\u00e9cnica sigilosa para mantener acceso persistente a sistemas Windows comprometidos. La campa\u00f1a, identificada por investigadores de Securelist y reportada en mayo de 2026, se intensific\u00f3 durante la segunda mitad de 2025 y principios de 2026, apuntando principalmente a agencias gubernamentales y organizaciones diplom\u00e1ticas en Rusia y Bielorrusia.", "modified": "2026-05-27T19:54:49.658000", "created": "2026-05-27T19:54:49.658000", "tags": [ "tor client", "malicious", "reverse ssh", "socks", "vbs tunnel", "ssh tunnel", "defang", "rutas", "archivo", "malware y", "ta0005", "command", "discovery", "powershell", "modify system", "control", "ta0011", "ta0002", "ta0003", "modificacin", "phishing", "execution", "masquerading", "malware" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_de_Cloud_Atlas_APT:_Modificaci%C3%B3n_de_termsrv.dll_para_M%C3%BAltiples_Sesiones_RDP_(2025-2026)", "https://www.virustotal.com/graph/embed/ga1ce30ad493148bba5add15fdb2866d6eb7315a9731e442e840788ed475fe66d?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "domain": 24, "hostname": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a174bf7082d8eb0e1915415", "name": "ACTIVIDAD MALICIOSA | Campa\u00f1a de Cloud Atlas APT: Modificaci\u00f3n de termsrv.dll para M\u00faltiples Sesiones RDP (2025-2026)", "description": "Cloud Atlas, un grupo APT activo desde al menos 2014, ha sido detectado utilizando una t\u00e9cnica sigilosa para mantener acceso persistente a sistemas Windows comprometidos. La campa\u00f1a, identificada por investigadores de Securelist y reportada en mayo de 2026, se intensific\u00f3 durante la segunda mitad de 2025 y principios de 2026, apuntando principalmente a agencias gubernamentales y organizaciones diplom\u00e1ticas en Rusia y Bielorrusia.", "modified": "2026-05-27T19:54:31.910000", "created": "2026-05-27T19:54:31.910000", "tags": [ "tor client", "malicious", "reverse ssh", "socks", "vbs tunnel", "ssh tunnel", "defang", "rutas", "archivo", "malware y", "ta0005", "command", "discovery", "powershell", "modify system", "control", "ta0011", "ta0002", "ta0003", "modificacin", "phishing", "execution", "masquerading", "malware" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_de_Cloud_Atlas_APT:_Modificaci%C3%B3n_de_termsrv.dll_para_M%C3%BAltiples_Sesiones_RDP_(2025-2026)", "https://www.virustotal.com/graph/embed/ga1ce30ad493148bba5add15fdb2866d6eb7315a9731e442e840788ed475fe66d?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "domain": 24, "hostname": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13b8f328162aab88d30ffa", "name": "IOC - Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload", "description": "In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.", "modified": "2026-05-25T02:50:27.951000", "created": "2026-05-25T02:50:27.951000", "tags": [ "browser checker", "reversesocks", "malicious ms", "office", "domains", "ips reverse", "sshsocks", "malicious", "ms office" ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 68, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 19, "domain": 23, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/ga1ce30ad493148bba5add15fdb2866d6eb7315a9731e442e840788ed475fe66d?theme=dark", "https://securelist.com/cloud-atlas-2026/119895/", "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_de_Cloud_Atlas_APT:_Modificaci%C3%B3n_de_termsrv.dll_para_M%C3%BAltiples_Sesiones_RDP_(2025-2026)" ], "related": { "alienvault": { "adversary": [ "Inception Framework" ], "malware_families": [ "Reversesocks", "Netsupport rat", "Phantomheart", "Vbcloud", "Valleyrat", "Abcdoor", "Powershower - s0441", "Powercloud" ], "industries": [ "Government" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a105530af26afbd3752ab81", "name": "Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload", "description": "Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.", "modified": "2026-05-25T09:47:41.792000", "created": "2026-05-22T13:08:00.327000", "tags": [ "vbcloud", "netsupport rat", "powershower", "reversesocks", "phantomheart", "valleyrat", "powercloud", "cloud atlas" ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "public": 1, "adversary": "Inception Framework", "targeted_countries": [ "Belarus", "Russian Federation" ], "malware_families": [ { "id": "PowerCloud", "display_name": "PowerCloud", "target": null }, { "id": "VBCloud", "display_name": "VBCloud", "target": null }, { "id": "PowerShower - S0441", "display_name": "PowerShower - S0441", "target": null }, { "id": "ReverseSocks", "display_name": "ReverseSocks", "target": null }, { "id": "PhantomHeart", "display_name": "PhantomHeart", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1558.003", "name": "Kerberoasting", "display_name": "T1558.003 - Kerberoasting" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 69, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 15, "domain": 23, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 386451, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552092, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "17 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a174c09390776ae4501284b", "name": "ACTIVIDAD MALICIOSA | Campa\u00f1a de Cloud Atlas APT: Modificaci\u00f3n de termsrv.dll para M\u00faltiples Sesiones RDP (2025-2026)", "description": "Cloud Atlas, un grupo APT activo desde al menos 2014, ha sido detectado utilizando una t\u00e9cnica sigilosa para mantener acceso persistente a sistemas Windows comprometidos. La campa\u00f1a, identificada por investigadores de Securelist y reportada en mayo de 2026, se intensific\u00f3 durante la segunda mitad de 2025 y principios de 2026, apuntando principalmente a agencias gubernamentales y organizaciones diplom\u00e1ticas en Rusia y Bielorrusia.", "modified": "2026-05-27T19:54:49.658000", "created": "2026-05-27T19:54:49.658000", "tags": [ "tor client", "malicious", "reverse ssh", "socks", "vbs tunnel", "ssh tunnel", "defang", "rutas", "archivo", "malware y", "ta0005", "command", "discovery", "powershell", "modify system", "control", "ta0011", "ta0002", "ta0003", "modificacin", "phishing", "execution", "masquerading", "malware" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_de_Cloud_Atlas_APT:_Modificaci%C3%B3n_de_termsrv.dll_para_M%C3%BAltiples_Sesiones_RDP_(2025-2026)", "https://www.virustotal.com/graph/embed/ga1ce30ad493148bba5add15fdb2866d6eb7315a9731e442e840788ed475fe66d?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "domain": 24, "hostname": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a174bf7082d8eb0e1915415", "name": "ACTIVIDAD MALICIOSA | Campa\u00f1a de Cloud Atlas APT: Modificaci\u00f3n de termsrv.dll para M\u00faltiples Sesiones RDP (2025-2026)", "description": "Cloud Atlas, un grupo APT activo desde al menos 2014, ha sido detectado utilizando una t\u00e9cnica sigilosa para mantener acceso persistente a sistemas Windows comprometidos. La campa\u00f1a, identificada por investigadores de Securelist y reportada en mayo de 2026, se intensific\u00f3 durante la segunda mitad de 2025 y principios de 2026, apuntando principalmente a agencias gubernamentales y organizaciones diplom\u00e1ticas en Rusia y Bielorrusia.", "modified": "2026-05-27T19:54:31.910000", "created": "2026-05-27T19:54:31.910000", "tags": [ "tor client", "malicious", "reverse ssh", "socks", "vbs tunnel", "ssh tunnel", "defang", "rutas", "archivo", "malware y", "ta0005", "command", "discovery", "powershell", "modify system", "control", "ta0011", "ta0002", "ta0003", "modificacin", "phishing", "execution", "masquerading", "malware" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_de_Cloud_Atlas_APT:_Modificaci%C3%B3n_de_termsrv.dll_para_M%C3%BAltiples_Sesiones_RDP_(2025-2026)", "https://www.virustotal.com/graph/embed/ga1ce30ad493148bba5add15fdb2866d6eb7315a9731e442e840788ed475fe66d?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "domain": 24, "hostname": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13b8f328162aab88d30ffa", "name": "IOC - Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload", "description": "In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.", "modified": "2026-05-25T02:50:27.951000", "created": "2026-05-25T02:50:27.951000", "tags": [ "browser checker", "reversesocks", "malicious ms", "office", "domains", "ips reverse", "sshsocks", "malicious", "ms office" ], "references": [ "https://securelist.com/cloud-atlas-2026/119895/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 68, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "IPv4": 19, "domain": 23, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "totallegacy.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "totallegacy.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173627.8290508 }