{ "type": "Domain", "indicator": "tuta.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/tuta.com", "alexa": "http://www.alexa.com/siteinfo/tuta.com", "indicator": "tuta.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4020006063, "indicator": "tuta.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69bf19eaf07fe8e7478c0d85", "name": "Behavior Iocs", "description": "", "modified": "2026-04-20T23:10:00.870000", "created": "2026-03-21T22:21:30.218000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 106, "FileHash-SHA1": 59, "FileHash-SHA256": 663, "URL": 572, "domain": 311, "hostname": 698, "email": 7 }, "indicator_count": 2416, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf301a1d534dbdba60a1e7", "name": "VirusTotal report\n for document.pdf", "description": "", "modified": "2026-04-20T00:26:28.752000", "created": "2026-03-21T23:56:10.251000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 32, "hostname": 47, "CVE": 1 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a3afba4c6ae03cea4633e7", "name": "Endgame 4 | ThreatIntelligence | Pegasus | Graphite | Paragon | Mirai | Berbew [by privacynotacrime]", "description": "", "modified": "2025-11-20T00:56:28.210000", "created": "2025-08-18T22:56:58.617000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14786, "CIDR": 3, "FileHash-MD5": 2, "domain": 8084, "email": 1, "hostname": 9967, "FileHash-SHA256": 5018, "CVE": 1, "IPv4": 10 }, "indicator_count": 37872, "is_author": false, "is_subscribing": null, "subscriber_count": 156, "modified_text": "192 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b92a8539a07aca04fef136", "name": "IOC - Google Salesforce Breach: A Deep dive into the chain and extent of the compromise", "description": "", "modified": "2025-10-03T15:01:47.782000", "created": "2025-09-04T05:58:29.706000", "tags": [ "salesforce", "vishing", "tor", "saas security", "cloud security", "data exfiltration", "oauth", "social engineering" ], "references": [ "https://www.seqrite.com/blog/google-salesforce-breach-unc6040-threat-research/" ], "public": 1, "adversary": "UNC6040, UNC6240", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Technology", "Telecommunications", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": "68b85f2d5e0366f13974b43e", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6802db5065a2d5648af92de3", "name": "Pegasus Spyware", "description": "If you see one of these IP addresses on your Android device, know this: the government is spying on you. It is recommended to perform a clean install of the latest version of Android, without Google services and with a proper firewall. Don't forget to disable RCS to decrease the attack surface.", "modified": "2025-05-20T10:00:22.858000", "created": "2025-04-18T23:08:00.201000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esjsonexe", "id": "320409", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 255, "hostname": 318, "URL": 762, "FileHash-SHA256": 288 }, "indicator_count": 1623, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "376 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.seqrite.com/blog/google-salesforce-breach-unc6040-threat-research/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "UNC6040, UNC6240" ], "malware_families": [ "Backdoor:linux/mirai", "Alf:backdoor:powershell/reverseshell", "Starfighter (javascript)", "Trojandownloader:linux/mirai", "#lowfitrojan:html/iframe", "Xloader for ios - s0490", "Mirai (windows)", "Pegasus for android - mob-s0032", "#lowfi:hstr:win32/mediadownloader", "Skynet", "#lowfi:exploit:java/cve-2012-0507", "Html smuggling", "Pegasus rdp module for windows", "Careto", "Zeroaccess - s0027", "Pegasus for ios - s0289", "Paragon (pegasus variant)", "Pegasus for mac", "Alf:html/phishing", "#hstr:hacktool:win32/remoteshell", "#lowfi:siga:trojandownloader:msil/genmaldow", "Trojan:js/berbew", "Alf:backdoor:java/webshell", "Graphite (pegasus variant)" ], "industries": [ "Retail", "Hospitality", "Telecommunications", "Finance", "Transportation", "Civil", "Technology", "Civilians", "People" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69bf19eaf07fe8e7478c0d85", "name": "Behavior Iocs", "description": "", "modified": "2026-04-20T23:10:00.870000", "created": "2026-03-21T22:21:30.218000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 106, "FileHash-SHA1": 59, "FileHash-SHA256": 663, "URL": 572, "domain": 311, "hostname": 698, "email": 7 }, "indicator_count": 2416, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf301a1d534dbdba60a1e7", "name": "VirusTotal report\n for document.pdf", "description": "", "modified": "2026-04-20T00:26:28.752000", "created": "2026-03-21T23:56:10.251000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 32, "hostname": 47, "CVE": 1 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a3afba4c6ae03cea4633e7", "name": "Endgame 4 | ThreatIntelligence | Pegasus | Graphite | Paragon | Mirai | Berbew [by privacynotacrime]", "description": "", "modified": "2025-11-20T00:56:28.210000", "created": "2025-08-18T22:56:58.617000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14786, "CIDR": 3, "FileHash-MD5": 2, "domain": 8084, "email": 1, "hostname": 9967, "FileHash-SHA256": 5018, "CVE": 1, "IPv4": 10 }, "indicator_count": 37872, "is_author": false, "is_subscribing": null, "subscriber_count": 156, "modified_text": "192 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b92a8539a07aca04fef136", "name": "IOC - Google Salesforce Breach: A Deep dive into the chain and extent of the compromise", "description": "", "modified": "2025-10-03T15:01:47.782000", "created": "2025-09-04T05:58:29.706000", "tags": [ "salesforce", "vishing", "tor", "saas security", "cloud security", "data exfiltration", "oauth", "social engineering" ], "references": [ "https://www.seqrite.com/blog/google-salesforce-breach-unc6040-threat-research/" ], "public": 1, "adversary": "UNC6040, UNC6240", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Technology", "Telecommunications", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": "68b85f2d5e0366f13974b43e", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6802db5065a2d5648af92de3", "name": "Pegasus Spyware", "description": "If you see one of these IP addresses on your Android device, know this: the government is spying on you. It is recommended to perform a clean install of the latest version of Android, without Google services and with a proper firewall. Don't forget to disable RCS to decrease the attack surface.", "modified": "2025-05-20T10:00:22.858000", "created": "2025-04-18T23:08:00.201000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esjsonexe", "id": "320409", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 255, "hostname": 318, "URL": 762, "FileHash-SHA256": 288 }, "indicator_count": 1623, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "376 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "tuta.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "tuta.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780269469.2376256 }