{ "type": "Domain", "indicator": "tyturu.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/tyturu.com", "alexa": "http://www.alexa.com/siteinfo/tyturu.com", "indicator": "tyturu.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3261887583, "indicator": "tyturu.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "639e7421ba5368c1ca46da6e", "name": "Glupteba malware is back", "description": "", "modified": "2023-01-09T01:02:16.494000", "created": "2022-12-18T02:00:01.565000", "tags": [], "references": [ "December 18th, 2022 - CryptoGen Cyber Threat Intelligence - Glupteba malware is back.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 30, "URL": 12, "hostname": 2, "domain": 56, "CVE": 1, "BitcoinAddress": 20 }, "indicator_count": 159, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1e56b3622762b160953cf", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi Networks provides a comprehensive guide to the best ways to close IoT security gaps in your operations. \u00c2\u00a31.5m of research, development and development in the UK, Ireland, Scotland and Wales.", "modified": "2022-12-20T16:40:11.795000", "created": "2022-12-20T16:40:11.795000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "1257 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1c00e773e7c902b8dae7f", "name": "Malicious Glupteba botnet", "description": "The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from MikroTik and Netgear.\n\nIt's also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2) since at least 2019, rendering its infrastructure resistant to takedown efforts as in the case of a traditional server.", "modified": "2022-12-20T14:00:46.988000", "created": "2022-12-20T14:00:46.988000", "tags": [ "recent sha256", "block explorer", "bitcoin explorer", "blockchain explorer", "transaction search", "bitcoin address", "ethereum address", "ether", "ethereum blockchain", "ethereum transaction", "ethereum unconfirmed transaction", "ethereum explorer", "etherscan", "home prices", "charts nfts", "buy more", "defi academy", "cash btc", "testnet bch", "testnet english", "espaol portugus", "pycc franais", "deutsch usd", "opreturn", "bitcoin", "utxo", "bitcoin core", "opreturn change", "utxo database", "ecdh address", "glupteba", "cyber threats", "malware", "research", "network", "socks proxy", "c server", "trend micro", "glupteba botnet", "mikrotik", "windows", "hkeyusers", "post request", "download", "verify", "enumerate", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", "https://www.trendmicro.com/en_us/research/19/i/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions.html", "https://www.blockchain.com/explorer/addresses/btc/1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 26, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 13, "domain": 62, "URL": 1, "CVE": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a173fd26be8fd55227067e", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "", "modified": "2022-12-20T08:36:13.699000", "created": "2022-12-20T08:36:13.699000", "tags": [ "glupteba", "campaign", "nozomi networks", "botnet" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "UNKNOWN", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": "63a15d23da6ba2b58272cac6", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 51, "hostname": 1 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a15d23da6ba2b58272cac6", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi Networks provides a comprehensive guide to the best ways to close IoT security gaps in your operations. 1.5m of research, development and development in the UK, Ireland, Scotland and Wales.", "modified": "2022-12-20T06:58:43.240000", "created": "2022-12-20T06:58:43.240000", "tags": [ "glupteba", "campaign", "nozomi networks", "botnet" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "UNKNOWN", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 51, "hostname": 1 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a06a51dd330cf876dbc282", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi reports that the Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago. Nozomi analysis reveals a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing based on data from blockchain transactions, TLS certificate registrations and reverse engineering Glupteba samples.", "modified": "2022-12-19T13:42:41.740000", "created": "2022-12-19T13:42:41.740000", "tags": [ "malware/glupteba" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1259 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a01c1cbcffc92811696826", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Find out more about Nozomi Networks, the UK-based company that provides solutions for OT and IoT security and management services for the pharmaceutical industry and other sectors, including oil and gas operations.", "modified": "2022-12-19T08:09:00.694000", "created": "2022-12-19T08:09:00.694000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1259 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639ffce6a10024195feea5e5", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Find out more about Nozomi Networks, the UK-based company that provides solutions for OT and IoT security and management services for the pharmaceutical industry and other sectors, including oil and gas operations.", "modified": "2022-12-19T05:55:50.112000", "created": "2022-12-19T05:55:50.112000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nageswaran", "id": "61577", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1259 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.blockchain.com/explorer/addresses/btc/1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK", "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", "https://www.trendmicro.com/en_us/research/19/i/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions.html", "December 18th, 2022 - CryptoGen Cyber Threat Intelligence - Glupteba malware is back.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Glupteba", "UNKNOWN" ], "malware_families": [ "Glupteba" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "639e7421ba5368c1ca46da6e", "name": "Glupteba malware is back", "description": "", "modified": "2023-01-09T01:02:16.494000", "created": "2022-12-18T02:00:01.565000", "tags": [], "references": [ "December 18th, 2022 - CryptoGen Cyber Threat Intelligence - Glupteba malware is back.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 30, "URL": 12, "hostname": 2, "domain": 56, "CVE": 1, "BitcoinAddress": 20 }, "indicator_count": 159, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1e56b3622762b160953cf", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi Networks provides a comprehensive guide to the best ways to close IoT security gaps in your operations. \u00c2\u00a31.5m of research, development and development in the UK, Ireland, Scotland and Wales.", "modified": "2022-12-20T16:40:11.795000", "created": "2022-12-20T16:40:11.795000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "1257 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1c00e773e7c902b8dae7f", "name": "Malicious Glupteba botnet", "description": "The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from MikroTik and Netgear.\n\nIt's also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2) since at least 2019, rendering its infrastructure resistant to takedown efforts as in the case of a traditional server.", "modified": "2022-12-20T14:00:46.988000", "created": "2022-12-20T14:00:46.988000", "tags": [ "recent sha256", "block explorer", "bitcoin explorer", "blockchain explorer", "transaction search", "bitcoin address", "ethereum address", "ether", "ethereum blockchain", "ethereum transaction", "ethereum unconfirmed transaction", "ethereum explorer", "etherscan", "home prices", "charts nfts", "buy more", "defi academy", "cash btc", "testnet bch", "testnet english", "espaol portugus", "pycc franais", "deutsch usd", "opreturn", "bitcoin", "utxo", "bitcoin core", "opreturn change", "utxo database", "ecdh address", "glupteba", "cyber threats", "malware", "research", "network", "socks proxy", "c server", "trend micro", "glupteba botnet", "mikrotik", "windows", "hkeyusers", "post request", "download", "verify", "enumerate", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", "https://www.trendmicro.com/en_us/research/19/i/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions.html", "https://www.blockchain.com/explorer/addresses/btc/1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 26, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 13, "domain": 62, "URL": 1, "CVE": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a173fd26be8fd55227067e", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "", "modified": "2022-12-20T08:36:13.699000", "created": "2022-12-20T08:36:13.699000", "tags": [ "glupteba", "campaign", "nozomi networks", "botnet" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "UNKNOWN", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": "63a15d23da6ba2b58272cac6", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 51, "hostname": 1 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a15d23da6ba2b58272cac6", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi Networks provides a comprehensive guide to the best ways to close IoT security gaps in your operations. 1.5m of research, development and development in the UK, Ireland, Scotland and Wales.", "modified": "2022-12-20T06:58:43.240000", "created": "2022-12-20T06:58:43.240000", "tags": [ "glupteba", "campaign", "nozomi networks", "botnet" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "UNKNOWN", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 51, "hostname": 1 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a06a51dd330cf876dbc282", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Nozomi reports that the Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago. Nozomi analysis reveals a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing based on data from blockchain transactions, TLS certificate registrations and reverse engineering Glupteba samples.", "modified": "2022-12-19T13:42:41.740000", "created": "2022-12-19T13:42:41.740000", "tags": [ "malware/glupteba" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1259 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a01c1cbcffc92811696826", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Find out more about Nozomi Networks, the UK-based company that provides solutions for OT and IoT security and management services for the pharmaceutical industry and other sectors, including oil and gas operations.", "modified": "2022-12-19T08:09:00.694000", "created": "2022-12-19T08:09:00.694000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1259 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639ffce6a10024195feea5e5", "name": "Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain", "description": "Find out more about Nozomi Networks, the UK-based company that provides solutions for OT and IoT security and management services for the pharmaceutical industry and other sectors, including oil and gas operations.", "modified": "2022-12-19T05:55:50.112000", "created": "2022-12-19T05:55:50.112000", "tags": [ "glupteba", "bitcoin address", "bitcoin", "google", "campaign", "xyzc2 domain", "november", "figure", "addressfirst", "nozomi networks", "june", "evolution", "virustotal", "february", "april", "malware" ], "references": [ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/" ], "public": 1, "adversary": "Glupteba", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nageswaran", "id": "61577", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 25, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 54 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1259 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "tyturu.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "tyturu.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780237970.2800303 }