{ "type": "Domain", "indicator": "trycloudflare.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/trycloudflare.com", "alexa": "http://www.alexa.com/siteinfo/trycloudflare.com", "indicator": "trycloudflare.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3509158408, "indicator": "trycloudflare.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "628dff37032808c7c9e014dc", "name": "Sauron - Malware Domain Feed V2", "description": "Command and Control domains for Sauron. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-17T06:25:54.995000", "created": "2022-05-25T10:04:39.623000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 156457, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48998, "domain": 83143 }, "indicator_count": 132141, "is_author": false, "is_subscribing": null, "subscriber_count": 1550, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-17T03:00:09.717000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 508971, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48210, "domain": 72684 }, "indicator_count": 120894, "is_author": false, "is_subscribing": null, "subscriber_count": 1699, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ddd6a040a811274d437512", "name": "IOC - Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT", "description": "Elastic Security Labs has identified a novel, AI-assisted Windows RAT (RAT) that targets individuals in the financial and cryptocurrency sectors, via social engineering, and the use of a popular note-taking application, Obsidian.", "modified": "2026-04-14T05:54:40.501000", "created": "2026-04-14T05:54:40.501000", "tags": [ "phantompulse", "c2 resolution", "shell commands", "c2 url", "obsidian", "phantompull", "stage", "windows", "c2 rotation", "security labs", "telegram", "hider", "execution", "loader", "shell", "date", "capture", "obfuscated applescript", "applescript" ], "references": [ "https://www.elastic.co/security-labs/phantom-in-the-vault" ], "public": 1, "adversary": "Telegram", "targeted_countries": [], "malware_families": [ { "id": "PHANTOMPULSE", "display_name": "PHANTOMPULSE", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Obfuscated AppleScript", "display_name": "Obfuscated AppleScript", "target": null }, { "id": "AppleScript", "display_name": "AppleScript", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Financial", "Cryptocurrency", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "IPv4": 1, "URL": 6, "YARA": 2, "domain": 4, "hostname": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-09T05:56:16.764000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 96, "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 989, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4d7305d42226674ea57e8", "name": "SERPENTINE#CLOUD returns: ClickFix lure drops five RATs", "description": "The recent cyber threat activity associated with SERPENTINE#CLOUD has been identified once again, with the attack completing successfully five weeks post-remediation. This resurgence employs ClickFix social engineering tactics, utilizing ephemeral Cloudflare tunnels to deliver multiple Remote Access Trojans (RATs) targeting the same organization. Notably, the attack was caught at an early stage by Huntress, preventing the payload from executing.", "modified": "2026-04-07T10:06:40.709000", "created": "2026-04-07T10:06:40.709000", "tags": [ "asyncrat", "purehvnc", "delivery", "userprofile", "network type", "value context", "xwormviolet v5", "brc4 c2", "venomrat", "purehvncbrc4 c2", "webdav" ], "references": [ "https://www.derp.ca/research/serpentine-cloud-clickfix-return/" ], "public": 1, "adversary": "Serpentine_cloud", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "hostname": 8, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 12, "URL": 4, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d0b5ca43b7553d276ae526", "name": "Inside TeamPCP\u2019s Shell\u00a0Arsenal: THE RAVEN FILE", "description": "A detailed analysis of the Shells used by TeamPCP to carry out a massive Supply Chain Attack on GitHub, in which more than 10,000 GitHub projects were compromised.", "modified": "2026-04-04T06:55:45.692000", "created": "2026-04-04T06:55:06.402000", "tags": [ "strong", "shell", "teampcp", "delivery", "python", "payload", "role", "incident", "shells", "march", "loader", "core", "cleanup", "attack", "path", "stealer", "twitter", "facebook", "inside", "execution", "persistence", "minimal", "prop", "openssl", "stealth", "worm", "cloud", "crypto", "bruteforce", "adaptixc2", "havoc", "malware", "multiverze", "trojan", "write", "fileless", "kubernetes", "credential", "canisterworm" ], "references": [ "https://theravenfile.com/2026/04/02/inside-teampcps-shell-arsenal/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Fileless", "display_name": "Fileless", "target": null }, { "id": "TeamPCP", "display_name": "TeamPCP", "target": null }, { "id": "Kubernetes", "display_name": "Kubernetes", "target": null }, { "id": "Credential", "display_name": "Credential", "target": null }, { "id": "CanisterWorm", "display_name": "CanisterWorm", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 6, "FileHash-MD5": 23, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 5, "hostname": 8 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4a1d9132694a02d2fd1f", "name": "EbeeMar2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-01T16:38:53.145000", "created": "2026-04-01T16:38:53.145000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Silver Fox, Powercat, BRUSHWORM and BRUSHLOGGER, Blank Grabber, Infiniti Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 62, "FileHash-MD5": 123, "FileHash-SHA1": 96, "FileHash-SHA256": 173, "CVE": 14, "URL": 33, "domain": 108, "hostname": 62 }, "indicator_count": 671, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a2fd1bd2c2d02eb498cbad", "name": "d9559b5cab00f2be979bf584a007244d6e0f908af04b350e48a4f83087ebef34 exe host", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-28T14:35:07.831000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 170, "hostname": 158, "FileHash-SHA1": 3, "FileHash-MD5": 2, "domain": 8, "URL": 160, "email": 1 }, "indicator_count": 502, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c66ca127fae55a435d937e", "name": "InterLock: full tooling teardown of a ransomware operation", "description": "InterLock is a double-extortion ransomware operation recognized for its tactic of exfiltrating data before encryption and utilizing a Tor-based leak site alongside deployment across various operating systems, including FreeBSD/ESXi and Windows. The operation has been active since at least October 2024. Recent details pertain to an analysis of 15 samples, highlighting its toolkit, which includes four ScreenConnect MSI installers, a versatile WebSocket backdoor referred to as NodeSnake, a credential harvester, and several ransomware binaries. This sophisticated operation primarily targets sectors like healthcare, education, government, and enterprises in multiple countries.", "modified": "2026-03-27T11:40:17.169000", "created": "2026-03-27T11:40:17.169000", "tags": [ "reverse-engineering", "ransomware", "interlock", "encryption", "malware", "nodesnake", "java", "prng", "jar c2", "javascript", "nodesnake pe", "elf variant", "jar c2js", "c2js", "websocket", "crypter", "powershell", "february", "encrypt", "null", "shell", "windows pe", "threatfox", "interlock windows", "pe", "elf", "windows" ], "references": [ "https://www.derp.ca/research/interlock-tooling-teardown/" ], "public": 1, "adversary": "InterLock", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" } ], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "FileHash-MD5": 11, "FileHash-SHA1": 9, "FileHash-SHA256": 19, "URL": 1, "domain": 4, "hostname": 17 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a6d11b6c260277822cd7e8", "name": "Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery", "description": "Cybercriminals are increasingly abusing a legacy feature in Windows File Explorer to distribute malware, according to a report by Cofense Intelligence Team and its European Research and Security Research Unit (ERS).", "modified": "2026-03-03T12:16:27.141000", "created": "2026-03-03T12:16:27.141000", "tags": [ "file explorer", "windows file", "webdav", "explorer", "windows", "rats", "explorer webdav", "cybercriminals", "kahng", "team", "powershell", "xworm" ], "references": [ "https://cybersecuritynews.com/hackers-abuse-windows-file-explorer-and-webdav/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 8 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "47 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a19edee95c13d614242e26", "name": "Abusing Windows File Explorer and WebDAV for Malware Delivery", "description": "", "modified": "2026-02-27T13:40:46.874000", "created": "2026-02-27T13:40:46.874000", "tags": [ "webdav", "file explorer", "webdav server", "windows file", "explorer", "url shortcut", "atrs", "windows unc", "platform", "new era", "february", "rats", "demo", "dcrat", "powershell", "winscp", "accept" ], "references": [ "https://cofense.com/blog/abusing-windows-file-explorer-and-webdav-for-malware-delivery" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 1, "hostname": 12 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "51 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696660d40f7ab02ea87f5b32", "name": "Campa\u00f1a Multi-Etapa de AsyncRAT 13012026", "description": "AsyncRAT has emerged as a notable Remote Access Trojan (RAT) used by threat actors for its robust capabilities and ease of deployment. It gained favor for its extensive feature set, which includes keylogging, screen capturing, and remote command execution capabilities. Its modular architecture, typically implemented in Python, provides flexibility and ease of customization, making it a preferred tool of choice for cybercriminals.", "modified": "2026-02-12T14:01:38.116000", "created": "2026-01-13T15:12:20.181000", "tags": [ "username", "python", "asyncrat", "figure", "pdf file", "startup folder", "cloudflare", "windows script", "trend vision", "webdav server", "powershell", "webdav", "download", "trojan", "next", "donut" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_Multi-Etapa_de_AsyncRAT", "https://www.virustotal.com/graph/embed/g2321fa4b9d974f1bbdace8c9ba8fc310acc7286cf4aa4d978a9aa9e3129e4784?theme=light" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT - S1087", "display_name": "AsyncRAT - S1087", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 1, "URL": 8, "hostname": 5 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a9a77a47c528558c8ef", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:48:26.770000", "created": "2026-01-21T04:48:26.770000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "88 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a66c4042524a1ef26a8", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:47:34.615000", "created": "2026-01-21T04:47:34.615000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "88 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a57b1aa54d1ca1e9777", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:47:19.388000", "created": "2026-01-21T04:47:19.388000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "88 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a330e5bb8fbd2e958ff", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:43.394000", "created": "2026-01-21T04:46:43.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "88 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a308ae683c590bcbe71", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:40.973000", "created": "2026-01-21T04:46:40.973000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "88 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a3056e76df0e220c4d2", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:40.172000", "created": "2026-01-21T04:46:40.172000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "88 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6942731f63638a064b026d3f", "name": "React2Shell Exploits Enable Instant Remote Code Execution via React Server Components", "description": "A critical vulnerability in the React Server Components ecosystem, known as React2Shell (CVE-2025-55182), is being actively exploited to take full control of servers. This flaw carries the maximum severity score and enables remote code execution without requiring any authentication.", "modified": "2026-01-16T08:00:40.654000", "created": "2025-12-17T09:08:47.494000", "tags": [ "defender", "react server", "endpoint", "cve202555182", "components", "cloud", "internet", "react", "suspicious", "timestamp", "possible", "patch", "hacktool", "trojan", "asim", "cobalt strike", "rats", "vshell", "shadowpad", "xmrig", "encodedcommand", "template", "powershell", "twitter", "bluesky" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "CVE": 2, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 32, "URL": 18, "hostname": 6 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a23a01f165c894110693b6", "name": "Threat Actor Profile: Interlock Ransomware.", "description": "Interlock (aka Nefarious Mantis) is an opportunistic ransomware operator first observed September 2024 and active across North America and Europe through 2025, targeting education, healthcare, technology, government, and other sectors. Law enforcement advisories (CISA/FBI) in mid-2025 noted upgrades to Interlock tooling, including encryptors for both Windows and Linux and capability to encrypt virtual machines.", "modified": "2025-09-16T20:00:00.565000", "created": "2025-08-17T20:22:25.228000", "tags": [ "arctic wolf", "command", "control", "interlock", "interlock rat", "initial access", "redacted", "clickfix", "cisa", "windows", "august", "rhysida", "wolf", "june", "powershell", "rats", "april", "twitter", "lumma stealer", "asyncrat", "danabot", "darkgate", "cobalt strike", "systembc", "defense", "mantis", "mexico", "later", "loader", "ransom", "contact", "internal", "media", "download", "open" ], "references": [ "https://arcticwolf.com/resources/blog/threat-actor-profile-interlock-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "CVE": 2, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 174, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b11dfd1aa3f207e76ae32b", "name": "Phishing Kits Uncovered: Methods and Tactics Used to Evade SEGs, Sandboxes, and Analysts.", "description": "Threat actors have adopted increasingly sophisticated tactics to evade detection in email phishing campaigns, employing various methods to disguise malware and credential phishing links. A prevalent technique involves embedding customized content in emails, utilizing legitimate file-sharing platforms, abusing open redirects, and incorporating QR codes to lead victims to phishing pages without drawing attention.\n\nTo evade scrutiny, these actors often leverage legitimate web services to host links to their malicious content instead of hosting malware directly. They typically embed these links into recognized sites like DocuSign, Google Docs, and Canva, as such sites can bypass detection by security email gateways (SEGs) that focus on reputable domains. Additionally, they commonly use open redirects from well-known platforms like Google and YouTube, which do not scan the final redirect URLs, further obscuring their phishing attempts.", "modified": "2025-08-29T03:26:53.702000", "created": "2025-08-29T03:26:53.702000", "tags": [ "segs", "ttps", "cofense", "useragent", "captcha", "threat actors", "urls", "pdfs", "qr code", "clickfix", "mispadu" ], "references": [ "https://cofense.com/blog/phishing-kits-uncovered-methods-and-tactics-used-to-evade-segs%2C-sandboxes%2C-and-analysts" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mispadu", "display_name": "Mispadu", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "FileHash-MD5": 1, "hostname": 8 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "233 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68753d99261be4836907ae3a", "name": "KongTuke FileFix Leads to New Interlock RAT Variant", "description": "Researchers from The DFIR Report, collaborating with Proofpoint, have uncovered a resilient PHP-based variant of the Interlock ransomware group\u2019s remote access trojan (RAT), marking a significant evolution from the previously documented JavaScript-driven NodeSnake.", "modified": "2025-08-13T17:04:52.966000", "created": "2025-07-14T17:25:45.551000", "tags": [ "interlock rat", "opens", "php variant", "powershell", "dfir report", "proofpoint", "windows", "command", "sigma", "yara", "verify", "june", "facebook" ], "references": [ "https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "URL": 1, "domain": 1, "hostname": 7 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6874f92fc3ec1d0172f8971f", "name": "KongTuke FileFix Leads to New Interlock RAT Variant – The DFIR Report", "description": "", "modified": "2025-08-13T12:00:04.593000", "created": "2025-07-14T12:33:51.648000", "tags": [ "interlock rat", "opens", "php variant", "powershell", "dfir report", "proofpoint", "windows", "command", "sigma", "yara", "verify", "june", "facebook" ], "references": [ "https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "URL": 1, "domain": 1, "hostname": 7 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 847, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6874f929dcca1affd00c04d9", "name": "KongTuke FileFix Leads to New Interlock RAT Variant – The DFIR Report", "description": "", "modified": "2025-08-13T12:00:04.593000", "created": "2025-07-14T12:33:45.528000", "tags": [ "interlock rat", "opens", "php variant", "powershell", "dfir report", "proofpoint", "windows", "command", "sigma", "yara", "verify", "june", "facebook" ], "references": [ "https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "URL": 1, "domain": 1, "hostname": 7 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 847, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676493c5607a603f1785a935", "name": "https://ginko.garden/pl/contact tel:+48 797 920 339 ip4 77.79.221.180 77.79.221.148", "description": "Pasywna replikacja DNS: \n77.79.221.180 \nSugerowany opis:\nPe\u0142ny tekst Ginko.Garden - Nowoczesne dekoracje i pergole metalowe - wedi dweud eu glass - metaloplastyka.\nSugerowane identyfikatory ATT&CK:\nOgr\u00f3d - Nowoczesne dekoracje z metalu do ogrodu - bi\u017cuteria ogrodowa i dekoracje szklane - pergole metalowe - metaloplastyka Meta Tagi s\u0142owa kluczowe Nowoczesne dekoracje z metalu do ogrodu - pergole metalowe - Ginko.\n77.79.221.148 \n46.41.159.227 \n46.41.159.177", "modified": "2025-07-28T11:51:42.400000", "created": "2024-12-19T21:44:37.537000", "tags": [ "copyright", "customevent", "typeof e", "boomerang", "typeof t", "macintosh", "os x", "post", "typeof", "iframe", "date", "nazwa rekordu", "aaaaa", "na wniosek", "bezpieczestwo", "serwer", "przerwa", "informacja o", "prace", "nazwa", "hasze", "adresy url", "nazwa http", "configoverride", "continuity", "pageparam s", "iframedelay", "autoxhr", "historia", "nazwa https", "uytkownik", "zenbox", "komunikacja", "pliki", "rozmiar", "kb data", "wykrycia nie", "mitre", "ids nie", "sigmy nie", "submission", "sha256", "ssdeep", "file type", "html internet", "magic html", "unicode text", "utf8 text", "trid hypertext", "markup language" ], "references": [ "https://s.go-mpulse.net/boomerang/XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1334, "hostname": 454, "domain": 346, "IPv6": 2, "IPv4": 36, "FileHash-SHA256": 1499, "FileHash-MD5": 92, "FileHash-SHA1": 74, "CVE": 1, "email": 1 }, "indicator_count": 3839, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685980e374c1e9323ce4d100", "name": "Mocha Manakin delivers custom NodeJS backdoor via paste and run.", "description": "The Mocha Manakin activity, which started being tracked in January 2025, employs a technique known as \"paste and run\" to gain initial access to systems. This method tricks users into executing a PowerShell script that downloads additional malicious payloads from adversary-controlled infrastructure. It has been linked with various payloads such as LummaC2, HijackLoader, and Vidar. Mocha Manakin is characterized by its use of a custom NodeJS backdoor named NodeInitRAT, which enables the adversary to maintain persistence on the compromised system and conduct reconnaissance operations.", "modified": "2025-07-23T16:02:18.975000", "created": "2025-06-23T16:29:23.062000", "tags": [ "mocha manakin", "nodeinitrat", "manakin", "january", "clickfix", "lummac2", "hijackloader", "vidar", "http", "cloudflare", "august" ], "references": [ "https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 26, "hostname": 13 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684150f8ab8fe1229def2bea", "name": "Analysis of the APT-C-53 (Gamaredon) organization's attack operations.", "description": "APT-C-53, also known as Gamaredon, is a persistent advanced persistent threat group that has been operational since 2013, primarily targeting government and military sectors to acquire intelligence. Recent activities indicate that Gamaredon is not diminishing despite ongoing disclosures of its methodologies by security vendors; rather, it appears to be escalating its attacks. The group predominantly utilizes malicious VBS scripts characterized by high obfuscation techniques, including code fragmentation and Base64 encoding, to enhance its evasion tactics. A notable aspect of their strategy involves using military-related themes in social engineering attempts, which helps lower the vigilance of potential victims and increases the likelihood of successful malware execution.", "modified": "2025-07-05T08:00:58.306000", "created": "2025-06-05T08:10:32.633000", "tags": [ "public", "temp", "appdata", "windowsresponby", "gamaredon", "windowsdetect", "windowstelegra", "https", "aptc53gamaredon", "ocwstwz5hzufor", "cookie" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247506191&idx=1&sn=89db49b84b7462bbf8731dbcc787e8c4&chksm=f9c1ea06ceb6631006eec73a1129db88dcbce705fd5bbfefe4eba48b5d4db5ed5017e34c9669&scene=178&cur_album_id=1955835290309230595&search_click_id=&poc_token=HGZOQWijOCtBLbeOZNmKXb_11l0WZ77aAMufwFqO" ], "public": 1, "adversary": "APT-C-53", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.002", "name": "Right-to-Left Override", "display_name": "T1036.002 - Right-to-Left Override" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-MD5": 1, "URL": 48, "hostname": 36 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "288 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6826bf619b047fa047aedf29", "name": "China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures", "description": "", "modified": "2025-06-13T17:02:19.882000", "created": "2025-05-16T04:30:25.827000", "tags": [ "sap netweaver", "unc5174", "vshell", "clsta0048", "webshell", "snowlight", "cve202531324", "sliver", "azure ad", "sta-0048", "apt", "china-nexus", "krustyloader" ], "references": [ "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" ], "public": 1, "adversary": "China-Nexus", "targeted_countries": [], "malware_families": [ { "id": "KrustyLoader", "display_name": "KrustyLoader", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Critical Infrastructure" ], "TLP": "white", "cloned_from": "6824ce5f2a19922c64e259ed", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "CVE": 10, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 15, "URL": 3, "hostname": 1 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6825846637a467872cdf202b", "name": "IOC&TTP - China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures", "description": "2025 \u5e74 4 \u6708\uff0c\u591a\u4e2a\u4e0e\u4e2d\u56fd\u6709\u5173\u8054\u7684\u56fd\u5bb6\u7ea7 APT \u7ec4\u7ec7\uff08UNC5221\u3001UNC5174\u3001CL-STA-0048 \u7b49\uff09\u5bf9\u5168\u7403\u5173\u952e\u57fa\u7840\u8bbe\u65bd\u5c55\u5f00\u9ad8\u6e29\uff08high-tempo\uff09\u653b\u51fb\uff0c\u6ee5\u7528 SAP NetWeaver Visual Composer \u672a\u7ecf\u8ba4\u8bc1\u7684\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e CVE-2025-31324\u3002\n\u653b\u51fb\u8005\u9996\u5148\u901a\u8fc7\u4e92\u8054\u7f51\u5927\u89c4\u6a21\u626b\u63cf\u66b4\u9732\u7684 NetWeaver \u5b9e\u4f8b\u5e76\u6210\u529f\u4e0a\u4f20 WebShell\uff08coreasp.js \u4e0e forwardsap.jsp\uff09\uff0c\u968f\u540e\u5728\u53d7\u5bb3\u7f51\u7edc\u4e2d\u6267\u884c\u8fdc\u7a0b\u547d\u4ee4\u3001\u63a8\u9001\u4e8c\u9636\u6bb5\u8f7d\u8377\uff08Rust \u7f16\u5199\u7684 KrustyLoader \u2192 Sliver\uff0c\u4ee5\u53ca SNOWLIGHT \u2192 VShell/GOREVERSE\uff09\u5e76\u6301\u7eed\u63a7\u5236\u3002\u88ab\u5165\u4fb5\u7684\u76ee\u6807\u6db5\u76d6\u82f1\u56fd\u5929\u7136\u6c14\u4e0e\u6c34\u52a1\u3001\u7f8e\u56fd\u9ad8\u7aef\u533b\u7597\u8bbe\u5907\u5236\u9020\u3001\u6c99\u7279\u653f\u5e9c\u91d1\u878d\u90e8\u95e8\u7b49\u5173\u952e\u884c\u4e1a\u3002", "modified": "2025-06-13T17:02:19.882000", "created": "2025-05-15T06:06:30.394000", "tags": [ "sap netweaver", "unc5174", "vshell", "clsta0048", "webshell", "snowlight", "cve202531324", "sliver", "azure ad", "sta-0048", "apt", "china-nexus", "krustyloader" ], "references": [ "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" ], "public": 1, "adversary": "China-Nexus", "targeted_countries": [], "malware_families": [ { "id": "KrustyLoader", "display_name": "KrustyLoader", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Critical Infrastructure" ], "TLP": "white", "cloned_from": "6824ce5f2a19922c64e259ed", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "CVE": 10, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 15, "URL": 3, "hostname": 1 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682497150a564a6c77dc70a7", "name": "China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures", "description": "", "modified": "2025-06-13T13:00:49.961000", "created": "2025-05-14T13:13:57.769000", "tags": [ "sap netweaver", "unc5174", "eclecticiq", "krustyloader", "vshell", "clsta0048", "webshell", "snowlight", "apts", "cve202531324", "april", "trojan", "service", "format", "persistence", "sliver", "path" ], "references": [ "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "URL": 5, "CVE": 10, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 15, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 848, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68241f8569400eac8085bfa4", "name": "CEC Juniper Community", "description": "A report from EclecticIQ on a China-Nexus nation-state cyber-espionage campaign against SAP NetWeaver reveals details of Chinese-speaking attackers' operations and how they target high-value networks.", "modified": "2025-06-13T04:00:58.344000", "created": "2025-05-14T04:43:49.515000", "tags": [ "cec juniper", "sorry", "css error", "refresh", "sap netweaver", "unc5174", "eclecticiq", "krustyloader", "vshell", "clsta0048", "webshell", "snowlight", "apts", "cve202531324", "april", "trojan", "service", "format", "persistence", "sliver", "path", "azure ad", "threat", "sta-0048" ], "references": [ "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" ], "public": 1, "adversary": "Azure AD", "targeted_countries": [ "China" ], "malware_families": [ { "id": "STA-0048", "display_name": "STA-0048", "target": null }, { "id": "KrustyLoader", "display_name": "KrustyLoader", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null }, { "id": "Vshell", "display_name": "Vshell", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "URL": 5, "CVE": 10, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 15, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683b2878b997cc1bfc7e9857", "name": "APT41's \"ToughProgress\" Malware Abuses Google Calendar for C2 Evasion", "description": "This pulse details APT41's (Winnti Group) new \"ToughProgress\" malware, which weaponizes Google Calendar for stealthy command-and-control (C2) communications. Key highlights from SOCRadar's analysis:\nLegitimacy Abuse: Uses Google Calendar events to hide malicious commands in seemingly benign public calendar entries.\nMulti-Stage Execution: Delivers PowerShell scripts to fetch encrypted payloads, bypassing traditional network defences.\nPersistence Mechanisms: Establishes footholds via scheduled tasks, registry modifications, and DLL sideloading.\nTargeted Evasion: Avoids sandboxes and leverages trusted cloud services to evade detection.\nIOCs Provided: Includes malware hashes, C2 domains, and behavioural patterns for hunting.", "modified": "2025-05-31T16:04:08.616000", "created": "2025-05-31T16:04:08.616000", "tags": [], "references": [], "public": 1, "adversary": "Winnti Group", "targeted_countries": [], "malware_families": [ { "id": "ToughProgress", "display_name": "ToughProgress", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 4, "hostname": 23, "domain": 2, "URL": 41 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "323 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6808503cd734d446e0dde152", "name": "Gamaredon's PteroLNK: Dead Drop Resolvers and Evasive Infrastructure", "description": "HarfangLab's latest analysis reveals the sophisticated tactics of the Gamaredon APT group, focusing on their use of PteroLNK malware. This malware employs VBScript and dead drop resolvers for command and control, targeting Ukrainian entities. The report highlights the group's continuous updates to their infrastructure, indicating active operations and persistent threats.", "modified": "2025-05-23T02:00:56.614000", "created": "2025-04-23T02:28:12.084000", "tags": [ "gamaredon", "lnk dropper", "c2 address", "c2 registry", "ukraine", "downloader", "dropper" ], "references": [ "https://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "Pterodo", "display_name": "Pterodo", "target": null }, { "id": "LNK", "display_name": "LNK", "target": null }, { "id": "Gamaredon", "display_name": "Gamaredon", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Military", "Government", "Critical Infrastructure" ], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 11, "URL": 2, "YARA": 2, "hostname": 52 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6800cd88a905c048a110ef0f", "name": "Interlock ransomware evolving under the radar - Sekoia.io Blog", "description": "Interlock ransomware is a multi-stage cyber-attack that targets victims who are not aware of the threat, according to a report by Sekoia Threat Detection & Research (TDR) and its researchers.", "modified": "2025-05-17T09:05:14.615000", "created": "2025-04-17T09:44:40.591000", "tags": [ "interlock", "cluster", "powershell", "february", "january", "windows", "october", "september", "detection", "clickfix", "ransom", "clop", "ransomhub", "akira", "babuk", "lynx", "qilin", "later", "anydesk", "contact", "media", "anomaly", "linux", "rhysida", "remote access" ], "references": [ "https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/" ], "public": 1, "adversary": "Interlock", "targeted_countries": [], "malware_families": [ { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "murgif105", "id": "292958", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 69, "FileHash-SHA1": 69, "FileHash-SHA256": 70, "URL": 27, "YARA": 5, "hostname": 35 }, "indicator_count": 284, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "337 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ee01b5cfc17772e4c0bc4f", "name": "Impact of Lotus Blossom APT on Exploitative Activities", "description": "", "modified": "2025-04-03T03:34:13.437000", "created": "2025-04-03T03:34:13.437000", "tags": [ "trycloudflare" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "381 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e8a750857921b5c9738b8b", "name": "Impact of Lotus Blossom APT on Exploitative Activities", "description": "", "modified": "2025-03-30T02:07:12.930000", "created": "2025-03-30T02:07:12.930000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "385 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ae7b5ea29bf3309033be99", "name": "How ransomware abuses BitLocker | Securelist", "description": "Security firm Kaspersky has identified and identified malware that uses the Windows operating system's BitLocker feature to steal data and demand a ransom from users' hard drives and other electronic devices for their release.", "modified": "2025-02-13T23:08:14.623000", "created": "2025-02-13T23:08:14.623000", "tags": [ "bitlocker", "data encryption", "incident response", "malware", "malware descriptions", "malware technologies", "microsoft windows", "ransomware", "createobject", "powershell", "disk", "windows", "ififlen", "drivetype", "post", "windows server", "vbs script", "mexico", "indonesia", "format", "proton", "careto", "cookieplus" ], "references": [ "https://securelist.com/ransomware-abuses-bitlocker/112643/" ], "public": 1, "adversary": "Careto", "targeted_countries": [ "Mexico", "Indonesia", "Jordan" ], "malware_families": [ { "id": "CookiePlus", "display_name": "CookiePlus", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 1, "URL": 3 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "430 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "675358fcebe53e25cb2ff403", "name": "BlueAlpha Exploits Cloudflare Tunnels for Stealthy GammaDrop Deployments and Persistent C2", "description": "A cyber espionage campaign targeting Ukrainian individuals and organizations has been linked to BlueAlpha, a Russian state-sponsored group. BlueAlpha uses spearphishing emails with HTML smuggling attachments to deliver GammaDrop and GammaLoad malware. The group has recently begun using Cloudflare Tunnels to conceal their GammaDrop staging infrastructure, making it difficult to detect traditional network security measures.", "modified": "2025-01-06T23:11:01.995000", "created": "2024-12-06T20:05:16.079000", "tags": [ "bluealpha", "html", "gammaload", "service", "html smuggling", "cloudflare", "gammadrop", "gamaredon", "shuckworm", "hive0051", "future" ], "references": [ "https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA256": 3, "hostname": 16, "URL": 63 }, "indicator_count": 83, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "468 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6752fbd8e087b66605552a77", "name": "BlueAlpha Leverages Cloudflare Tunnels for GammaDrop Infrastructure", "description": "A report from the Insikt Group on the threat posed by BlueAlpha, a Russian state-sponsored cyber threat group, reveals how the group uses Cloudflare Tunnels to conceal its staging infrastructure.", "modified": "2025-01-06T23:11:01.995000", "created": "2024-12-06T13:27:52.549000", "tags": [ "bluealpha", "html", "gammaload", "service", "html smuggling", "cloudflare", "gammadrop", "gamaredon", "shuckworm", "hive0051", "future", "vbscript", "trycloudflare" ], "references": [ "https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VBScript", "display_name": "VBScript", "target": null }, { "id": "GammaLoad", "display_name": "GammaLoad", "target": null }, { "id": "GammaDrop", "display_name": "GammaDrop", "target": null }, { "id": "TryCloudflare", "display_name": "TryCloudflare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA256": 3, "hostname": 7 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 847, "modified_text": "468 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d3a207bc1222dd721843f7", "name": "Espionage Malware Campaign Uses Google Sheets for C2, Targets Global Organizations", "description": "Cybersecurity researchers have uncovered a sophisticated malware campaign targeting organizations worldwide. The attackers, impersonating tax authorities, lure victims with fraudulent emails containing malicious links. Once clicked, these links deliver a malicious payload that installs a backdoor known as \"Voldemort.\"", "modified": "2024-09-30T23:00:03.475000", "created": "2024-08-31T23:06:47.276000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 17, "email": 1, "hostname": 7 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d1da211c4544ddf765b650", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from the latest threats, trends and issues in the cybersecurity industry, in a comprehensive guide to the company's products and services.", "modified": "2024-09-29T14:01:21.291000", "created": "2024-08-30T14:41:37.271000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-SHA256": 5, "URL": 18, "email": 1, "hostname": 8 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "567 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d1a13302f788b415166f87", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from the latest threats, trends and issues in the cybersecurity industry, in a comprehensive guide to the company's products and services.", "modified": "2024-09-29T10:02:29.978000", "created": "2024-08-30T10:38:43.741000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 18, "email": 1, "hostname": 8 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 847, "modified_text": "567 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d1151123006ec958ef3efb", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "", "modified": "2024-09-29T00:02:28.450000", "created": "2024-08-30T00:40:49.647000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 17, "email": 1, "hostname": 7 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "567 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66deccd737aaade7e3dc5f61", "name": "Gamaredon\u2019s Spear-Phishing Assault On Ukraine\u2019s Military - Cyble", "description": "Find out more about Cyble, the artificial intelligence-driven cybersecurity platform, and how to find the best ways to protect yourself from cybercriminals and other cyber threats. the Cyber Express", "modified": "2024-09-09T10:24:23.790000", "created": "2024-09-09T10:24:23.790000", "tags": [ "gamaredon", "trycloudflare", "javascript code", "javascript", "lnk file", "xhtml", "ukraine", "gamaredon apt", "xhtml file", "cyble research", "python", "armageddon", "august", "xworm" ], "references": [ "https://cyble.com/blog/gamaredons-spear-phishing-assault-on-ukraines-military/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Ukraine", "Russian Federation" ], "malware_families": [ { "id": "XWORM", "display_name": "XWORM", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Military", "Healthcare", "Pharmaceuticals", "Financial Services", "Retail", "Technology", "Defence", "Government", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "CVE": 5, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 83, "URL": 38, "hostname": 18 }, "indicator_count": 153, "is_author": false, "is_subscribing": null, "subscriber_count": 414, "modified_text": "587 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d5744caea6d1d3374bde63", "name": "Hackers abuse free TryCloudflare to deliver remote access malware", "description": "A round-up of security tips and links from around the world, as well as some of the best examples of how to remove malware from the dark web and find new ways to get rid of malware.", "modified": "2024-09-02T08:16:12.367000", "created": "2024-09-02T08:16:12.367000", "tags": [ "cloudflare", "proofpoint", "rats", "trycloudflare", "urls", "february", "asyncrat", "guloader", "venomrat", "remcos rat", "xworm", "powershell", "python", "remcos", "lnk", "linux" ], "references": [ "https://www.bleepingcomputer.com/news/security/hackers-abuse-free-trycloudflare-to-deliver-remote-access-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "LNK", "display_name": "LNK", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Finance", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "594 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ad12e85e89f7862dd5436d", "name": "How Phishing Emails Use TryCloudflare to Spread RATs", "description": "Proofpoint is tracking phishing campaigns that use a TryCloudflare subdomain to deliver various remote access trojans (RATs). First observed in February 2024, the cluster escalated its activity in May through July. Later campaigns delivered AsyncRAT and Xworm RAT, while previous campaigns also delivered VenomRAT, GuLoader, and Remcos. \n\nWhile the attack chain requires significant victim interaction, which provides multiple opportunities to identify suspicious activity, TryCloudflare provides attackers with free temporary infrastructure that doesn't require the attacker to make an account, giving them the flexibility to build and take down instances. This temporary infrastructure makes it harder for defenders, as traditional security measures and static blocklists are ineffective.", "modified": "2024-09-01T17:02:12.379000", "created": "2024-08-02T17:10:00.279000", "tags": [], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "VenomRAT", "display_name": "VenomRAT", "target": null }, { "id": "Xworm", "display_name": "Xworm", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "GuLoader", "display_name": "GuLoader", "target": null } ], "attack_ids": [ { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Professional, Scientific, and Technical Services", "Finance and Insurance", "Information" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA256": 6, "hostname": 6 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66acaaf31e419f1f5f9ace52", "name": "Threat Actor Abuses Cloudflare Tunnels to Deliver RATs | Proofpoint US", "description": "", "modified": "2024-09-01T09:03:28.820000", "created": "2024-08-02T09:46:27.460000", "tags": [ "python", "asyncrat", "proofpoint", "xworm", "july", "june", "ttps", "cloudflare", "etpro malware", "webdav", "venomrat", "guloader", "remcos", "powershell", "ping", "rats", "february", "malware", "generic" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA256": 6, "hostname": 6 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66acaaf0fa7a16d95526f1be", "name": "Threat Actor Abuses Cloudflare Tunnels to Deliver RATs | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity provider, at a webinar, webinars, blogs, podcasts and other resources on the technology and services you need to know.", "modified": "2024-09-01T09:03:28.820000", "created": "2024-08-02T09:46:24.229000", "tags": [ "python", "asyncrat", "proofpoint", "xworm", "july", "june", "ttps", "cloudflare", "etpro malware", "webdav", "venomrat", "guloader", "remcos", "powershell", "ping", "rats", "february", "malware", "generic" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "VenomRAT", "display_name": "VenomRAT", "target": null }, { "id": "Xworm", "display_name": "Xworm", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Finance", "Government", "Higher Education", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA256": 6, "hostname": 6 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66acaaefe4c5a45034c28bf4", "name": "Threat Actor Abuses Cloudflare Tunnels to Deliver RATs | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity provider, at a webinar, webinars, blogs, podcasts and other resources on the technology and services you need to know.", "modified": "2024-09-01T09:03:28.820000", "created": "2024-08-02T09:46:23.671000", "tags": [ "python", "asyncrat", "proofpoint", "xworm", "july", "june", "ttps", "cloudflare", "etpro malware", "webdav", "venomrat", "guloader", "remcos", "powershell", "ping", "rats", "february", "malware", "generic" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "VenomRAT", "display_name": "VenomRAT", "target": null }, { "id": "Xworm", "display_name": "Xworm", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Finance", "Government", "Higher Education", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA256": 6, "hostname": 6 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ab6534b5ef28d013f0b51c", "name": "Threat Actor Abuses Cloudflare Tunnels to Deliver RATs | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity provider, at a webinar, webinars, blogs, podcasts and other resources on the technology and services you need to know.", "modified": "2024-08-31T09:05:41.555000", "created": "2024-08-01T10:36:36.928000", "tags": [ "python", "asyncrat", "proofpoint", "xworm", "july", "june", "ttps", "cloudflare", "etpro malware", "webdav", "venomrat", "guloader", "remcos", "powershell", "ping", "rats", "february", "malware", "generic" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "VenomRAT", "display_name": "VenomRAT", "target": null }, { "id": "Xworm", "display_name": "Xworm", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Finance", "Government", "Higher Education", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA256": 6, "hostname": 6 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "596 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.elastic.co/security-labs/phantom-in-the-vault", "https://s.go-mpulse.net/boomerang/XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "https://arcticwolf.com/resources/blog/threat-actor-profile-interlock-ransomware/", "https://cybersecuritynews.com/hackers-abuse-windows-file-explorer-and-webdav/", "https://cofense.com/blog/phishing-kits-uncovered-methods-and-tactics-used-to-evade-segs%2C-sandboxes%2C-and-analysts", "https://www.derp.ca/research/interlock-tooling-teardown/", "https://cyble.com/blog/gamaredons-spear-phishing-assault-on-ukraines-military/", "https://theravenfile.com/2026/04/02/inside-teampcps-shell-arsenal/", "IOCs.2026.pdf", "https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/", "https://www.virustotal.com/graph/embed/g2321fa4b9d974f1bbdace8c9ba8fc310acc7286cf4aa4d978a9aa9e3129e4784?theme=light", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats", "https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service", "https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/", "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247506191&idx=1&sn=89db49b84b7462bbf8731dbcc787e8c4&chksm=f9c1ea06ceb6631006eec73a1129db88dcbce705fd5bbfefe4eba48b5d4db5ed5017e34c9669&scene=178&cur_album_id=1955835290309230595&search_click_id=&poc_token=HGZOQWijOCtBLbeOZNmKXb_11l0WZ77aAMufwFqO", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778", "https://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/", "https://cofense.com/blog/abusing-windows-file-explorer-and-webdav-for-malware-delivery", "https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/", "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4", "https://securelist.com/ransomware-abuses-bitlocker/112643/", "https://www.derp.ca/research/serpentine-cloud-clickfix-return/", "https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/", "Book1.csv", "https://darfe.es/ciberwiki/index.php?title=Campa%C3%B1a_Multi-Etapa_de_AsyncRAT", "https://www.bleepingcomputer.com/news/security/hackers-abuse-free-trycloudflare-to-deliver-remote-access-malware/", "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "APT-C-53", "Telegram", "Careto", "Azure AD", "Voldemort", "Silver Fox, Powercat, BRUSHWORM and BRUSHLOGGER, Blank Grabber, Infiniti Stealer", "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "InterLock", "Winnti Group", "Gamaredon", "Serpentine_cloud", "China-Nexus", "Interlock" ], "malware_families": [ "", "Windows", "Linux", "Venomrat", "Credential", "Krustyloader", "Lnk", "Pterodo", "Asyncrat", "Gammadrop", "Threat", "Toughprogress", "Trycloudflare", "Kubernetes", "Teampcp", "Interlock", "Phantompulse", "Cobalt strike", "Rhysida", "Obfuscated applescript", "Gammaload", "Guloader", "Vshell", "Asyncrat - s1087", "Fileless", "Xworm", "Cookieplus", "Mispadu", "Snowlight", "Remcos", "Akira", "Applescript", "Vbscript", "Voldemort", "Remote access", "Gamaredon", "Canisterworm", "Sta-0048" ], "industries": [ "Government", "Insurance", "Defence", "Professional, scientific, and technical services", "Healthcare", "Finance and insurance", "Critical infrastructure", "Transportation", "Aerospace", "Social engineering", "Finance", "Cryptocurrency", "Financial", "Military", "Financial services", "Technology", "Higher education", "Manufacturing", "Information", "Retail", "Pharmaceuticals", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "628dff37032808c7c9e014dc", "name": "Sauron - Malware Domain Feed V2", "description": "Command and Control domains for Sauron. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-17T06:25:54.995000", "created": "2022-05-25T10:04:39.623000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 156457, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48998, "domain": 83143 }, "indicator_count": 132141, "is_author": false, "is_subscribing": null, "subscriber_count": 1550, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-17T03:00:09.717000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 508971, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48210, "domain": 72684 }, "indicator_count": 120894, "is_author": false, "is_subscribing": null, "subscriber_count": 1699, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ddd6a040a811274d437512", "name": "IOC - Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT", "description": "Elastic Security Labs has identified a novel, AI-assisted Windows RAT (RAT) that targets individuals in the financial and cryptocurrency sectors, via social engineering, and the use of a popular note-taking application, Obsidian.", "modified": "2026-04-14T05:54:40.501000", "created": "2026-04-14T05:54:40.501000", "tags": [ "phantompulse", "c2 resolution", "shell commands", "c2 url", "obsidian", "phantompull", "stage", "windows", "c2 rotation", "security labs", "telegram", "hider", "execution", "loader", "shell", "date", "capture", "obfuscated applescript", "applescript" ], "references": [ "https://www.elastic.co/security-labs/phantom-in-the-vault" ], "public": 1, "adversary": "Telegram", "targeted_countries": [], "malware_families": [ { "id": "PHANTOMPULSE", "display_name": "PHANTOMPULSE", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Obfuscated AppleScript", "display_name": "Obfuscated AppleScript", "target": null }, { "id": "AppleScript", "display_name": "AppleScript", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Financial", "Cryptocurrency", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "IPv4": 1, "URL": 6, "YARA": 2, "domain": 4, "hostname": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-09T05:56:16.764000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 96, "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 989, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4d7305d42226674ea57e8", "name": "SERPENTINE#CLOUD returns: ClickFix lure drops five RATs", "description": "The recent cyber threat activity associated with SERPENTINE#CLOUD has been identified once again, with the attack completing successfully five weeks post-remediation. This resurgence employs ClickFix social engineering tactics, utilizing ephemeral Cloudflare tunnels to deliver multiple Remote Access Trojans (RATs) targeting the same organization. Notably, the attack was caught at an early stage by Huntress, preventing the payload from executing.", "modified": "2026-04-07T10:06:40.709000", "created": "2026-04-07T10:06:40.709000", "tags": [ "asyncrat", "purehvnc", "delivery", "userprofile", "network type", "value context", "xwormviolet v5", "brc4 c2", "venomrat", "purehvncbrc4 c2", "webdav" ], "references": [ "https://www.derp.ca/research/serpentine-cloud-clickfix-return/" ], "public": 1, "adversary": "Serpentine_cloud", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "hostname": 8, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 12, "URL": 4, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d0b5ca43b7553d276ae526", "name": "Inside TeamPCP\u2019s Shell\u00a0Arsenal: THE RAVEN FILE", "description": "A detailed analysis of the Shells used by TeamPCP to carry out a massive Supply Chain Attack on GitHub, in which more than 10,000 GitHub projects were compromised.", "modified": "2026-04-04T06:55:45.692000", "created": "2026-04-04T06:55:06.402000", "tags": [ "strong", "shell", "teampcp", "delivery", "python", "payload", "role", "incident", "shells", "march", "loader", "core", "cleanup", "attack", "path", "stealer", "twitter", "facebook", "inside", "execution", "persistence", "minimal", "prop", "openssl", "stealth", "worm", "cloud", "crypto", "bruteforce", "adaptixc2", "havoc", "malware", "multiverze", "trojan", "write", "fileless", "kubernetes", "credential", "canisterworm" ], "references": [ "https://theravenfile.com/2026/04/02/inside-teampcps-shell-arsenal/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Fileless", "display_name": "Fileless", "target": null }, { "id": "TeamPCP", "display_name": "TeamPCP", "target": null }, { "id": "Kubernetes", "display_name": "Kubernetes", "target": null }, { "id": "Credential", "display_name": "Credential", "target": null }, { "id": "CanisterWorm", "display_name": "CanisterWorm", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 6, "FileHash-MD5": 23, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 5, "hostname": 8 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4a1d9132694a02d2fd1f", "name": "EbeeMar2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-01T16:38:53.145000", "created": "2026-04-01T16:38:53.145000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Silver Fox, Powercat, BRUSHWORM and BRUSHLOGGER, Blank Grabber, Infiniti Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 62, "FileHash-MD5": 123, "FileHash-SHA1": 96, "FileHash-SHA256": 173, "CVE": 14, "URL": 33, "domain": 108, "hostname": 62 }, "indicator_count": 671, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a2fd1bd2c2d02eb498cbad", "name": "d9559b5cab00f2be979bf584a007244d6e0f908af04b350e48a4f83087ebef34 exe host", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-28T14:35:07.831000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 170, "hostname": 158, "FileHash-SHA1": 3, "FileHash-MD5": 2, "domain": 8, "URL": 160, "email": 1 }, "indicator_count": 502, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c66ca127fae55a435d937e", "name": "InterLock: full tooling teardown of a ransomware operation", "description": "InterLock is a double-extortion ransomware operation recognized for its tactic of exfiltrating data before encryption and utilizing a Tor-based leak site alongside deployment across various operating systems, including FreeBSD/ESXi and Windows. The operation has been active since at least October 2024. Recent details pertain to an analysis of 15 samples, highlighting its toolkit, which includes four ScreenConnect MSI installers, a versatile WebSocket backdoor referred to as NodeSnake, a credential harvester, and several ransomware binaries. This sophisticated operation primarily targets sectors like healthcare, education, government, and enterprises in multiple countries.", "modified": "2026-03-27T11:40:17.169000", "created": "2026-03-27T11:40:17.169000", "tags": [ "reverse-engineering", "ransomware", "interlock", "encryption", "malware", "nodesnake", "java", "prng", "jar c2", "javascript", "nodesnake pe", "elf variant", "jar c2js", "c2js", "websocket", "crypter", "powershell", "february", "encrypt", "null", "shell", "windows pe", "threatfox", "interlock windows", "pe", "elf", "windows" ], "references": [ "https://www.derp.ca/research/interlock-tooling-teardown/" ], "public": 1, "adversary": "InterLock", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" } ], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "FileHash-MD5": 11, "FileHash-SHA1": 9, "FileHash-SHA256": 19, "URL": 1, "domain": 4, "hostname": 17 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a6d11b6c260277822cd7e8", "name": "Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery", "description": "Cybercriminals are increasingly abusing a legacy feature in Windows File Explorer to distribute malware, according to a report by Cofense Intelligence Team and its European Research and Security Research Unit (ERS).", "modified": "2026-03-03T12:16:27.141000", "created": "2026-03-03T12:16:27.141000", "tags": [ "file explorer", "windows file", "webdav", "explorer", "windows", "rats", "explorer webdav", "cybercriminals", "kahng", "team", "powershell", "xworm" ], "references": [ "https://cybersecuritynews.com/hackers-abuse-windows-file-explorer-and-webdav/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 8 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "47 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "trycloudflare.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "trycloudflare.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776642350.5171719 }