{ "type": "Domain", "indicator": "trustconnectsoftware.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/trustconnectsoftware.com", "alexa": "http://www.alexa.com/siteinfo/trustconnectsoftware.com", "indicator": "trustconnectsoftware.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4205488155, "indicator": "trustconnectsoftware.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69c081afa2bd54a9599b7c07", "name": "PhishDestroy \u2014 Active Phishing & Crypto Scam Domains", "description": "Real-time feed of phishing, crypto drainer, and scam domains detected by PhishDestroy (phishdestroy.io). Updated hourly. 108K+ domains tracked, 55K+ currently active. Source: github.com/phishdestroy/destroylist", "modified": "2026-04-19T17:00:03.563000", "created": "2026-03-22T23:56:29.438000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 81541, "hostname": 49545 }, "indicator_count": 131086, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "28 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a046863c1c92107079f81b", "name": "EbeeFeb2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:11:34.763000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "FileHash-MD5": 191, "FileHash-SHA1": 220, "FileHash-SHA256": 192, "CVE": 2, "URL": 58, "domain": 220 }, "indicator_count": 961, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699d46339248d1d41b93c8af", "name": "IOC - (Don't) TrustConnect: It's a RAT in an RMM hat", "description": "RMM tools continue to be many attackers\u2019 top choice for initial access. Such enterprise remote support software like SimpleHelp, SuperOps, Datto, N-able and others are frequently delivered via email campaigns by cybercrime actors or used as follow-on payloads once an actor achieves initial access. (As always, the legitimate RMM tools mentioned in this report are just that \u2014 legitimate. It\u2019s the threat actors doing the abusing. We call out brand names strictly to explain what the actors misused, not because the vendors themselves had any hand in the activity.)", "modified": "2026-03-26T07:07:30.239000", "created": "2026-02-24T06:33:23.522000", "tags": [ "february", "january", "payload staging", "domain", "payload url", "first seen", "c2 domain", "c2 ip", "payload", "docconnect c2" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 6, "domain": 10, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997f55e26fbbb0ae347e1ec", "name": "Botnet_C2 | Feb 20, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 20, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-22T05:05:35.370000", "created": "2026-02-20T05:47:10.246000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 355, "domain": 261, "URL": 298 }, "indicator_count": 914, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699762f427fe02bf824192ca", "name": "Botnet_C2 | Feb 20, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 20, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T19:09:28.611000", "created": "2026-02-19T19:22:28.453000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 342, "domain": 252, "URL": 299 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699723c55f6e92db33521fe5", "name": "Botnet_C2 | Feb 20, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 20, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T14:01:42.464000", "created": "2026-02-19T14:52:53.642000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 253, "hostname": 335, "URL": 299 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997049690cb8412e84a63f0", "name": "Botnet_C2 | Feb 19, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 19, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T12:15:40.099000", "created": "2026-02-19T12:39:50.752000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 245, "hostname": 334, "URL": 300 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996eec8a83ff76c8fe7dc9e", "name": "ThreatFix_domain_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:06:48.676000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 3, "domain": 2634, "hostname": 1822 }, "indicator_count": 4471, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996ef256528000ea157373e", "name": "ThreatFix_URL_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:08:21.110000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA256": 1, "URL": 1197, "domain": 314, "hostname": 284 }, "indicator_count": 1806, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996f6a8caa9224f1592f010", "name": "(Don't) TrustConnect: It's a RAT in an RMM hat | Proofpoint US", "description": "", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:40:24.512000", "tags": [ "et malware", "trustconnect", "cnc activity", "proofpoint", "january", "maas", "february", "clientsetup", "urls", "screenconnect", "malware", "telegram", "redline", "redline stealer", "bitcoin", "exescript", "police", "lumma stealer", "rhadamanthys", "example" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "URL": 7, "domain": 10, "hostname": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69962e6338bcfc329ffecba6", "name": "Botnet_C2 | Feb 19, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 19, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-20T21:04:33.994000", "created": "2026-02-18T21:25:55.254000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 345, "URL": 303, "domain": 254 }, "indicator_count": 902, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69956f84af1f40702ddc40f2", "name": "Botnet_C2 | Feb 18, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-20T07:00:55.583000", "created": "2026-02-18T07:51:32.433000", "tags": [ "botnet_c2", "threatfox", "feodo-tracker" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 365, "domain": 339, "URL": 283 }, "indicator_count": 987, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6995562720907e73e033ebd3", "name": "Botnet_C2 | Feb 18, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-20T06:24:49.670000", "created": "2026-02-18T06:03:19.513000", "tags": [ "botnet_c2", "threatfox", "feodo-tracker" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 283, "domain": 348, "hostname": 368 }, "indicator_count": 999, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6994c6fc3957a115ed922718", "name": "Botnet_C2 | Feb 18, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-19T19:10:46.453000", "created": "2026-02-17T19:52:28.589000", "tags": [ "botnet_c2", "feodo-tracker", "threatfox" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 369, "URL": 281, "domain": 401 }, "indicator_count": 1051, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699494361595c7157e0fc3c3", "name": "Botnet_C2 | Feb 18, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-19T16:05:49.959000", "created": "2026-02-17T16:15:50.980000", "tags": [ "botnet_c2", "threatfox", "feodo-tracker" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 377, "URL": 288, "domain": 421 }, "indicator_count": 1086, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69929252f87c124d769e3e67", "name": "Botnet_C2 | Feb 16, 2026 | Part 1/3", "description": "Botnet_C2 indicators. Date: Feb 16, 2026. Part 1/3. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-18T03:31:01.532000", "created": "2026-02-16T03:43:14.436000", "tags": [ "botnet_c2", "threatfox", "feodo-tracker" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 260, "domain": 491, "hostname": 444 }, "indicator_count": 1195, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6991f4c3481006b4187bbe62", "name": "Oz Batch: 50 IOCs (avg BDE: 85)", "description": "**Pulse Description:**\n\nThis pulse identifies a collection of 50 indicators associated with various C2 frameworks including ClearFake, Unknown RAT, Lumma Stealer, SystemBC, XWorm, AsyncRAT, Havoc, and DeimosC2. These indicators span multiple types including domain, IP, SHA256, and MD5 hashes, with an average BDE Score of 85. While specific country origins are not listed, the presence of these frameworks is often linked to regions known for cyber threats, such as China or Russia. Security teams are advised to monitor for these indicators and implement appropriate defenses against the referenced techniques that align with MITRE ATT&CK tactics.\n\nBDE (Big Data analytics Energy) Score: 85, Detection Timestamp: [insert timestamp].", "modified": "2026-03-17T16:25:13.009000", "created": "2026-02-15T16:30:59.389000", "tags": [ "DugganUSA", "auto-generated" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 17, "domain": 5, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6991ec299051bcdc0f24ce42", "name": "Oz Batch: 50 IOCs (avg BDE: 85)", "description": "**OTX Pulse Description: Cobalt Strike Infrastructure**\n\nThis pulse identifies 50 indicators associated with Cobalt Strike, a well-known adversary toolkit. The infrastructure encompasses multiple C2 frameworks, including Sliver, DCRat, Meterpreter, ClearFake, and Lumma Stealer, with an average BDE (Big Data analytics Energy) Score of 85. Given the sophistication of these tools, security teams should prioritize monitoring for related IPs and domains, especially in environments frequently targeted by Cobalt Strike operations.\n\nDetection Timestamp: [insert timestamp]", "modified": "2026-03-17T15:04:24.472000", "created": "2026-02-15T15:54:17.722000", "tags": [ "DugganUSA", "auto-generated", "apt", "cobalt" ], "references": [], "public": 1, "adversary": "Cobalt", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 11, "domain": 4 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6991c29c8806f1ab54813777", "name": "Oz Batch: 50 IOCs (avg BDE: 85)", "description": "**Pulse Description:**\n\nThis pulse identifies 50 indicators of compromise (IOCs), including MD5, SHA256 hashes, and IPs associated with various malware families such as Sality, XWorm, and DarkVision RAT. The lack of geographical indicators suggests a diverse threat landscape, possibly utilizing compromised infrastructure across multiple regions. Notably, the average BDE (Big Data analytics Energy) Score for these IOCs is 85, indicating a high level of threat. \n\nSecurity teams should investigate any traffic related to these IOCs and monitor for techniques aligned with MITRE ATT&CK frameworks, particularly concerning Command and Control (C2) activities. Detection timestamp: [Insert Timestamp].", "modified": "2026-03-17T12:07:10.418000", "created": "2026-02-15T12:57:00.685000", "tags": [ "DugganUSA", "auto-generated" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA256": 6, "hostname": 4, "domain": 14 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699152fed1ee73f46925f677", "name": "Botnet_C2 | Feb 15, 2026 | Part 1/3", "description": "Botnet_C2 indicators. Date: Feb 15, 2026. Part 1/3. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-17T05:06:16.895000", "created": "2026-02-15T05:00:46.858000", "tags": [ "botnet_c2", "feodo-tracker", "threatfox" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 441, "URL": 225, "domain": 658 }, "indicator_count": 1324, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698fdbd6164bb19521902cb2", "name": "OSINT Volley 2026-02-14 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(92), ClearFake(64), Unknown Stealer(62), XWorm(42). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-16T02:10:51.177000", "created": "2026-02-14T02:20:06.521000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 103, "domain": 22, "URL": 5 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698fe2de8a58e61fe26d6c55", "name": "OSINT Volley 2026-02-14 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(92), ClearFake(64), Unknown Stealer(62), XWorm(42). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-16T02:10:51.177000", "created": "2026-02-14T02:50:06.700000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 103, "domain": 22, "URL": 5 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698fcdc4ad6dfe933f739897", "name": "OSINT Volley 2026-02-14 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(92), ClearFake(64), Unknown Stealer(62), XWorm(42). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-16T01:04:15.912000", "created": "2026-02-14T01:20:04.059000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 104, "domain": 22, "URL": 5 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698fd4cedcdabb3df4f8009c", "name": "OSINT Volley 2026-02-14 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(92), ClearFake(64), Unknown Stealer(62), XWorm(42). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-16T01:04:15.912000", "created": "2026-02-14T01:50:06.592000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 103, "domain": 22, "URL": 5 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698fc6bf37ea6467eeaed27a", "name": "OSINT Volley 2026-02-14 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(92), ClearFake(62), Unknown Stealer(62), XWorm(40). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-16T00:40:34.618000", "created": "2026-02-14T00:50:07.336000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 105, "domain": 22, "URL": 5 }, "indicator_count": 132, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698fb1a80f7a4f2552b7f3ba", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(92), ClearFake(63), Unknown Stealer(62), AsyncRAT(40). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T23:10:19.041000", "created": "2026-02-13T23:20:08.853000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 116, "domain": 22, "URL": 5 }, "indicator_count": 143, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698fb8accc2161878f2bd975", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(92), ClearFake(63), Unknown Stealer(62), AsyncRAT(40). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T23:10:19.041000", "created": "2026-02-13T23:50:04.377000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 116, "domain": 22, "URL": 5 }, "indicator_count": 143, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698fa393905c5d529089abc9", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(91), ClearFake(65), Unknown Stealer(62), AsyncRAT(39). Source: abuse.ch ThreatFox API. SSL enriched: 68 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T22:22:47.920000", "created": "2026-02-13T22:20:03.349000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 122, "domain": 22, "URL": 5 }, "indicator_count": 149, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698faa9d67bf6e59590c8509", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(92), ClearFake(64), Unknown Stealer(62), Remcos(40). Source: abuse.ch ThreatFox API. SSL enriched: 68 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T22:22:47.920000", "created": "2026-02-13T22:50:05.180000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 120, "domain": 22, "URL": 5 }, "indicator_count": 147, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f9582d1f2587e90d42c86", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(88), ClearFake(62), Unknown Stealer(62), AsyncRAT(39). Source: abuse.ch ThreatFox API. SSL enriched: 68 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T21:03:52.096000", "created": "2026-02-13T21:20:02.427000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 126, "domain": 21, "URL": 5 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f9c8e9bb2bc66d4e5313b", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(89), ClearFake(65), Unknown Stealer(62), AsyncRAT(39). Source: abuse.ch ThreatFox API. SSL enriched: 68 IPs with HTTPS, 27 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T21:03:52.096000", "created": "2026-02-13T21:50:06.421000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22, "hostname": 125, "URL": 5 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f8e81cd33aa0857b6e1fe", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/Unknown Stealer", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(89), Unknown Stealer(62), ClearFake(60), AsyncRAT(44). Source: abuse.ch ThreatFox API. SSL enriched: 65 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T20:14:37.972000", "created": "2026-02-13T20:50:09.966000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "unknown-stealer", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 131, "domain": 21, "URL": 5 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f7964c923667195c1a511", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(87), ClearFake(56), AsyncRAT(44), Sliver(36). Source: abuse.ch ThreatFox API. SSL enriched: 64 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T19:00:45.126000", "created": "2026-02-13T19:20:04.644000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 89, "URL": 70, "domain": 3 }, "indicator_count": 162, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f6a54078f337bc2eb0dea", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(84), ClearFake(53), AsyncRAT(44), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 63 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T18:49:49.095000", "created": "2026-02-13T18:15:48.080000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 85, "URL": 70, "domain": 26 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f6afb3eece35f961e8d1d", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(84), ClearFake(53), AsyncRAT(44), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T18:49:49.095000", "created": "2026-02-13T18:18:35.505000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 85, "URL": 70, "domain": 26 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f6b5255bebcbfe2a5ef21", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(84), ClearFake(53), AsyncRAT(44), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T18:49:49.095000", "created": "2026-02-13T18:20:02.167000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 85, "URL": 70, "domain": 26 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f6bbd675701364a1b9c83", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(84), ClearFake(53), AsyncRAT(44), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 63 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T18:49:49.095000", "created": "2026-02-13T18:21:49.551000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 85, "URL": 70, "domain": 25 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f6c7570f11d7d684aa496", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(85), ClearFake(53), AsyncRAT(44), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 24 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T18:49:49.095000", "created": "2026-02-13T18:24:53.234000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 86, "URL": 70, "domain": 24 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f6e79c205d6ec068aa0f8", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(85), ClearFake(53), AsyncRAT(44), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 63 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T18:49:49.095000", "created": "2026-02-13T18:33:29.888000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 86, "URL": 70, "domain": 24 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f739f182d709b894b67d5", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(86), ClearFake(53), AsyncRAT(44), Sliver(37). Source: abuse.ch ThreatFox API. SSL enriched: 65 IPs with HTTPS, 26 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T18:49:49.095000", "created": "2026-02-13T18:55:27.307000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 85, "URL": 70, "domain": 14 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f59697c0537d6b99b64c5", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(87), ClearFake(51), AsyncRAT(40), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 60 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T17:18:12.090000", "created": "2026-02-13T17:03:37.522000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 67, "hostname": 81 }, "indicator_count": 176, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f5a6523c572bfa4547445", "name": "Oz Batch: 11 IOCs (avg BDE: 85)", "description": "**OTX Pulse Description:**\n\nThis pulse identifies 11 indicators associated with malicious activities involving Coinminer, Sality, DarkVision RAT, and an unknown RAT. The average BDE (Big Data Analytics Energy) score is 85, indicating a significant threat level. Security teams should monitor network traffic for these IOCs and apply detection rules based on MITRE ATT&CK techniques related to remote access and cryptocurrency mining.\n\n**BDE Score: 85** \n**Detection Timestamp: [insert timestamp here]**", "modified": "2026-03-15T17:18:12.090000", "created": "2026-02-13T17:07:49.887000", "tags": [ "DugganUSA", "auto-generated" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "FileHash-MD5": 3, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f5d428898b901ac2481a2", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(87), ClearFake(52), AsyncRAT(40), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T17:18:12.090000", "created": "2026-02-13T17:20:02.261000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "hostname": 80, "domain": 28 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f5f71c7d1e3465622ae2d", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(86), ClearFake(52), AsyncRAT(40), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 63 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T17:18:12.090000", "created": "2026-02-13T17:29:21.579000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "hostname": 80, "domain": 28 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f620660e67a8232fc7ce0", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(85), ClearFake(51), AsyncRAT(40), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 63 IPs with HTTPS, 24 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T17:18:12.090000", "created": "2026-02-13T17:40:22.262000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "hostname": 80, "domain": 28 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f64496d59d18caae27f43", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(85), ClearFake(50), AsyncRAT(40), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 63 IPs with HTTPS, 24 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T17:18:12.090000", "created": "2026-02-13T17:50:01.740000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 70, "domain": 28 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f646df22bc7b2b1e1fb46", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(85), ClearFake(50), AsyncRAT(40), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 23 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T17:18:12.090000", "created": "2026-02-13T17:50:37.868000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 70, "domain": 28 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f6482f93f70197b77feca", "name": "OSINT Volley 2026-02-13 - Formbook/Unknown malware/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(289), Unknown malware(85), ClearFake(50), AsyncRAT(40), Sliver(39). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 23 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-03-15T17:18:12.090000", "created": "2026-02-13T17:50:58.216000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "unknown-malware", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 70, "domain": 28 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "52 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6990aa1f93c096395cb0abaf", "name": "PreCog Sweep - 2026-02-14 17h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-02-14T17:00:15.598000", "created": "2026-02-14T17:00:15.598000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 250, "URL": 20, "domain": 79 }, "indicator_count": 349, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "64 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://threatfox.abuse.ch", "https://github.com/pduggusa/dugganusa-research", "IOCs.2026.csv", "https://ltna.com.au/cyber", "https://analytics.dugganusa.com/api/v1/stix/master", "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo", "Cobalt" ], "malware_families": [ "Asyncrat", "Unknown malware", "Formbook", "Clearfake", "Unknown stealer", "Sliver", "Xworm", "Ransomhub", "Remcos", "Qilin" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69c081afa2bd54a9599b7c07", "name": "PhishDestroy \u2014 Active Phishing & Crypto Scam Domains", "description": "Real-time feed of phishing, crypto drainer, and scam domains detected by PhishDestroy (phishdestroy.io). Updated hourly. 108K+ domains tracked, 55K+ currently active. Source: github.com/phishdestroy/destroylist", "modified": "2026-04-19T17:00:03.563000", "created": "2026-03-22T23:56:29.438000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 81541, "hostname": 49545 }, "indicator_count": 131086, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "28 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a046863c1c92107079f81b", "name": "EbeeFeb2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:11:34.763000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "FileHash-MD5": 191, "FileHash-SHA1": 220, "FileHash-SHA256": 192, "CVE": 2, "URL": 58, "domain": 220 }, "indicator_count": 961, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699d46339248d1d41b93c8af", "name": "IOC - (Don't) TrustConnect: It's a RAT in an RMM hat", "description": "RMM tools continue to be many attackers\u2019 top choice for initial access. Such enterprise remote support software like SimpleHelp, SuperOps, Datto, N-able and others are frequently delivered via email campaigns by cybercrime actors or used as follow-on payloads once an actor achieves initial access. (As always, the legitimate RMM tools mentioned in this report are just that \u2014 legitimate. It\u2019s the threat actors doing the abusing. We call out brand names strictly to explain what the actors misused, not because the vendors themselves had any hand in the activity.)", "modified": "2026-03-26T07:07:30.239000", "created": "2026-02-24T06:33:23.522000", "tags": [ "february", "january", "payload staging", "domain", "payload url", "first seen", "c2 domain", "c2 ip", "payload", "docconnect c2" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 6, "domain": 10, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997f55e26fbbb0ae347e1ec", "name": "Botnet_C2 | Feb 20, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 20, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-22T05:05:35.370000", "created": "2026-02-20T05:47:10.246000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 355, "domain": 261, "URL": 298 }, "indicator_count": 914, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699762f427fe02bf824192ca", "name": "Botnet_C2 | Feb 20, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 20, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T19:09:28.611000", "created": "2026-02-19T19:22:28.453000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 342, "domain": 252, "URL": 299 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699723c55f6e92db33521fe5", "name": "Botnet_C2 | Feb 20, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 20, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T14:01:42.464000", "created": "2026-02-19T14:52:53.642000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 253, "hostname": 335, "URL": 299 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997049690cb8412e84a63f0", "name": "Botnet_C2 | Feb 19, 2026 | Part 1/2", "description": "Botnet_C2 indicators. Date: Feb 19, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T12:15:40.099000", "created": "2026-02-19T12:39:50.752000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 245, "hostname": 334, "URL": 300 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996eec8a83ff76c8fe7dc9e", "name": "ThreatFix_domain_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:06:48.676000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 3, "domain": 2634, "hostname": 1822 }, "indicator_count": 4471, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996ef256528000ea157373e", "name": "ThreatFix_URL_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:08:21.110000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA256": 1, "URL": 1197, "domain": 314, "hostname": 284 }, "indicator_count": 1806, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996f6a8caa9224f1592f010", "name": "(Don't) TrustConnect: It's a RAT in an RMM hat | Proofpoint US", "description": "", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:40:24.512000", "tags": [ "et malware", "trustconnect", "cnc activity", "proofpoint", "january", "maas", "february", "clientsetup", "urls", "screenconnect", "malware", "telegram", "redline", "redline stealer", "bitcoin", "exescript", "police", "lumma stealer", "rhadamanthys", "example" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "URL": 7, "domain": 10, "hostname": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "trustconnectsoftware.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "trustconnectsoftware.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776619724.2885997 }