{ "type": "Domain", "indicator": "transformaition.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/transformaition.com", "alexa": "http://www.alexa.com/siteinfo/transformaition.com", "indicator": "transformaition.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3661036786, "indicator": "transformaition.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6436c0cf4951311d9a3d3351", "name": "QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia", "description": "A threat group tracked as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream. QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices.", "modified": "2023-04-12T14:31:42.315000", "created": "2023-04-12T14:31:42.315000", "tags": [ "dev0196", "quadream", "haaretz", "amfi", "psoa", "meta", "android", "ENDOFDAYS", "iOS spyware" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/" ], "public": 1, "adversary": "DEV-0196, QuaDream", "targeted_countries": [], "malware_families": [ { "id": "KingsPawn", "display_name": "KingsPawn", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "TA0031", "name": "Credential Access", "display_name": "TA0031 - Credential Access" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Media", "Government", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 383, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 164 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 386908, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6865117ef69a048ce6a4d04e", "name": "Israel APT actors", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-07-02T11:01:18.401000", "tags": [], "references": [ "APT-Israel.pdf" ], "public": 1, "adversary": "Caramel Tsunami, Candiru, Gonjeshke Darande, Predatory Sparrow, Phlox Tempest, Carmine Tsunami, DEEV", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 34, "FileHash-SHA256": 34, "URL": 3, "domain": 405 }, "indicator_count": 510, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "643ce7d99ef2b1d39b696141", "name": "QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia", "description": "", "modified": "2023-04-17T06:31:53.503000", "created": "2023-04-17T06:31:53.503000", "tags": [ "dev0196", "quadream", "haaretz", "amfi", "psoa", "meta", "android", "ENDOFDAYS", "iOS spyware" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/" ], "public": 1, "adversary": "DEV-0196, QuaDream", "targeted_countries": [], "malware_families": [ { "id": "KingsPawn", "display_name": "KingsPawn", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "TA0031", "name": "Credential Access", "display_name": "TA0031 - Credential Access" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Media", "Government", "NGO" ], "TLP": "white", "cloned_from": "6438e469cffb814ed9f1ec4d", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 164 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1142 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6438e469cffb814ed9f1ec4d", "name": "QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia", "description": "", "modified": "2023-04-14T05:28:09.651000", "created": "2023-04-14T05:28:09.651000", "tags": [ "dev0196", "quadream", "haaretz", "amfi", "psoa", "meta", "android", "ENDOFDAYS", "iOS spyware" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/" ], "public": 1, "adversary": "DEV-0196, QuaDream", "targeted_countries": [], "malware_families": [ { "id": "KingsPawn", "display_name": "KingsPawn", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "TA0031", "name": "Credential Access", "display_name": "TA0031 - Credential Access" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Media", "Government", "NGO" ], "TLP": "white", "cloned_from": "6436c0cf4951311d9a3d3351", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 164 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64388dcb5129c6d849cff3f2", "name": "DEV-0196: QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia - Microsoft Security Blog", "description": "", "modified": "2023-04-13T23:18:35.973000", "created": "2023-04-13T23:18:35.973000", "tags": [ "Cybersecurity", "Citizen Lab", "Microsoft Security Intelligence", "Mobile", "Private-sector offensive actor (PSOA)", "DEV-0196" ], "references": [ "https://community.riskiq.com/article/95949708" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 164 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64379d0ba19487e3a4cc41ba", "name": "DEV-0196: QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia", "description": "RMPAC7/2023/002/02 40 Data 12/04/2023 KingsPawn: usato lo spyware dell\u2019israeliana QuaDream per colpire dispositivi", "modified": "2023-04-13T06:11:23.806000", "created": "2023-04-13T06:11:23.806000", "tags": [], "references": [ "2755381.misp-json", "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 164 }, "indicator_count": 164, "is_author": false, "is_subscribing": null, "subscriber_count": 211, "modified_text": "1146 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64369a8b2aa7e3c882c17bcb", "name": "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream\u2019s Exploits, Victims, and Customers", "description": "QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia", "modified": "2023-04-12T11:48:27.737000", "created": "2023-04-12T11:48:27.737000", "tags": [ "dev0196", "quadream", "microsoft", "citizen lab", "intelligence", "reign", "ghana", "haaretz", "amfi", "psoa", "meta", "android", "mexico", "august", "main", "sentinel", "first", "targeted threats", "spyware", "inreach", "sample", "verint", "israel", "cyprus", "nso group", "endofdays", "cypriot case", "file", "june", "april", "february", "general", "indonesia", "exploit", "comment", "prior" ], "references": [ "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/", "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 165, "CVE": 1 }, "indicator_count": 166, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "643607e3a0c610d554cf4cdf", "name": "DEV-0196, QuaDream\u2019s KingsPawn malware used to target civil societies", "description": "", "modified": "2023-04-12T01:22:43.622000", "created": "2023-04-12T01:22:43.622000", "tags": [], "references": [ "April 12th, 2023 - CryptoGen Cyber Threat Intelligence - DEV-0196, QuaDream\u2019s KingsPawn malware used to target civil societies.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 164 }, "indicator_count": 164, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6435eae06b17f099868dee74", "name": "InQuest - 11-04-2023", "description": "", "modified": "2023-04-11T23:18:56.095000", "created": "2023-04-11T23:18:56.095000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 125, "domain": 939, "URL": 1536, "hostname": 248, "IPv4": 197, "FileHash-MD5": 42, "FileHash-SHA1": 15 }, "indicator_count": 3102, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", "https://labs.inquest.net/iocdb", "APT-Israel.pdf", "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/", "https://community.riskiq.com/article/95949708", "2755381.misp-json", "April 12th, 2023 - CryptoGen Cyber Threat Intelligence - DEV-0196, QuaDream\u2019s KingsPawn malware used to target civil societies.pdf" ], "related": { "alienvault": { "adversary": [ "DEV-0196, QuaDream" ], "malware_families": [ "Kingspawn" ], "industries": [ "Media", "Ngo", "Government" ] }, "other": { "adversary": [ "Caramel Tsunami, Candiru, Gonjeshke Darande, Predatory Sparrow, Phlox Tempest, Carmine Tsunami, DEEV", "DEV-0196, QuaDream" ], "malware_families": [ "Kingspawn" ], "industries": [ "Media", "Ngo", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6436c0cf4951311d9a3d3351", "name": "QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia", "description": "A threat group tracked as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream. QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices.", "modified": "2023-04-12T14:31:42.315000", "created": "2023-04-12T14:31:42.315000", "tags": [ "dev0196", "quadream", "haaretz", "amfi", "psoa", "meta", "android", "ENDOFDAYS", "iOS spyware" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/" ], "public": 1, "adversary": "DEV-0196, QuaDream", "targeted_countries": [], "malware_families": [ { "id": "KingsPawn", "display_name": "KingsPawn", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "TA0031", "name": "Credential Access", "display_name": "TA0031 - Credential Access" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Media", "Government", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 383, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 164 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 386908, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6865117ef69a048ce6a4d04e", "name": "Israel APT actors", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-07-02T11:01:18.401000", "tags": [], "references": [ "APT-Israel.pdf" ], "public": 1, "adversary": "Caramel Tsunami, Candiru, Gonjeshke Darande, Predatory Sparrow, Phlox Tempest, Carmine Tsunami, DEEV", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 34, "FileHash-SHA256": 34, "URL": 3, "domain": 405 }, "indicator_count": 510, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "643ce7d99ef2b1d39b696141", "name": "QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia", "description": "", "modified": "2023-04-17T06:31:53.503000", "created": "2023-04-17T06:31:53.503000", "tags": [ "dev0196", "quadream", "haaretz", "amfi", "psoa", "meta", "android", "ENDOFDAYS", "iOS spyware" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/" ], "public": 1, "adversary": "DEV-0196, QuaDream", "targeted_countries": [], "malware_families": [ { "id": "KingsPawn", "display_name": "KingsPawn", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "TA0031", "name": "Credential Access", "display_name": "TA0031 - Credential Access" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Media", "Government", "NGO" ], "TLP": "white", "cloned_from": "6438e469cffb814ed9f1ec4d", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 164 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1142 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6438e469cffb814ed9f1ec4d", "name": "QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia", "description": "", "modified": "2023-04-14T05:28:09.651000", "created": "2023-04-14T05:28:09.651000", "tags": [ "dev0196", "quadream", "haaretz", "amfi", "psoa", "meta", "android", "ENDOFDAYS", "iOS spyware" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/" ], "public": 1, "adversary": "DEV-0196, QuaDream", "targeted_countries": [], "malware_families": [ { "id": "KingsPawn", "display_name": "KingsPawn", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "TA0031", "name": "Credential Access", "display_name": "TA0031 - Credential Access" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Media", "Government", "NGO" ], "TLP": "white", "cloned_from": "6436c0cf4951311d9a3d3351", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 164 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64388dcb5129c6d849cff3f2", "name": "DEV-0196: QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia - Microsoft Security Blog", "description": "", "modified": "2023-04-13T23:18:35.973000", "created": "2023-04-13T23:18:35.973000", "tags": [ "Cybersecurity", "Citizen Lab", "Microsoft Security Intelligence", "Mobile", "Private-sector offensive actor (PSOA)", "DEV-0196" ], "references": [ "https://community.riskiq.com/article/95949708" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 164 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64379d0ba19487e3a4cc41ba", "name": "DEV-0196: QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia", "description": "RMPAC7/2023/002/02 40 Data 12/04/2023 KingsPawn: usato lo spyware dell\u2019israeliana QuaDream per colpire dispositivi", "modified": "2023-04-13T06:11:23.806000", "created": "2023-04-13T06:11:23.806000", "tags": [], "references": [ "2755381.misp-json", "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 164 }, "indicator_count": 164, "is_author": false, "is_subscribing": null, "subscriber_count": 211, "modified_text": "1146 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64369a8b2aa7e3c882c17bcb", "name": "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream\u2019s Exploits, Victims, and Customers", "description": "QuaDream\u2019s \u201cKingsPawn\u201d malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia", "modified": "2023-04-12T11:48:27.737000", "created": "2023-04-12T11:48:27.737000", "tags": [ "dev0196", "quadream", "microsoft", "citizen lab", "intelligence", "reign", "ghana", "haaretz", "amfi", "psoa", "meta", "android", "mexico", "august", "main", "sentinel", "first", "targeted threats", "spyware", "inreach", "sample", "verint", "israel", "cyprus", "nso group", "endofdays", "cypriot case", "file", "june", "april", "february", "general", "indonesia", "exploit", "comment", "prior" ], "references": [ "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/", "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 165, "CVE": 1 }, "indicator_count": 166, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "643607e3a0c610d554cf4cdf", "name": "DEV-0196, QuaDream\u2019s KingsPawn malware used to target civil societies", "description": "", "modified": "2023-04-12T01:22:43.622000", "created": "2023-04-12T01:22:43.622000", "tags": [], "references": [ "April 12th, 2023 - CryptoGen Cyber Threat Intelligence - DEV-0196, QuaDream\u2019s KingsPawn malware used to target civil societies.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 164 }, "indicator_count": 164, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6435eae06b17f099868dee74", "name": "InQuest - 11-04-2023", "description": "", "modified": "2023-04-11T23:18:56.095000", "created": "2023-04-11T23:18:56.095000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 125, "domain": 939, "URL": 1536, "hostname": 248, "IPv4": 197, "FileHash-MD5": 42, "FileHash-SHA1": 15 }, "indicator_count": 3102, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "transformaition.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "transformaition.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780412994.3862498 }