{ "type": "Domain", "indicator": "ultimateearsindia.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ultimateearsindia.com", "alexa": "http://www.alexa.com/siteinfo/ultimateearsindia.com", "indicator": "ultimateearsindia.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4331162272, "indicator": "ultimateearsindia.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69ef8bc1ae6e9625756e05a8", "name": "Inside the Bulletproof Hosting Network Behind 16,000+ Fake Shops", "description": "Fibergrid has operated as a bulletproof hosting provider for nearly a decade, currently hosting 16,700 active fraudulent e-commerce sites. The network exploits stolen African IPv4 address space worth $20-25 million, originally acquired through improper AFRINIC registrations. Despite claiming Seychelles-based operations, multilateration analysis reveals infrastructure concentrated in the United States, United Kingdom, Netherlands, Canada, and other Western countries, primarily within Equinix data centers. Fibergrid operates through a complex web of UK and Estonian shell companies using multiple autonomous systems to evade detection and enforcement. Fake shops constitute 70% of malicious activity on this infrastructure, targeting consumers through search engines and social media with counterfeit goods and payment fraud schemes. Disruption opportunities exist through upstream provider intervention, regional internet registry action, domain-level takedowns, and indicator sharing with security providers.", "modified": "2026-04-27T16:30:02.826000", "created": "2026-04-27T16:16:01.047000", "tags": [ "fibergrid", "e-commerce fraud", "bulletproof hosting", "shell companies", "stolen ip addresses", "autonomous systems", "counterfeit goods", "fake shops", "afrinic" ], "references": [ "https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1588.006", "name": "Vulnerabilities", "display_name": "T1588.006 - Vulnerabilities" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386453, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f19287f2d640c360a377cb", "name": "Inside the Bulletproof Hosting Network Behind 16,000+ Fake Shops", "description": "", "modified": "2026-04-29T05:09:27.666000", "created": "2026-04-29T05:09:27.666000", "tags": [ "fibergrid", "e-commerce fraud", "bulletproof hosting", "shell companies", "stolen ip addresses", "autonomous systems", "counterfeit goods", "fake shops", "afrinic" ], "references": [ "https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1588.006", "name": "Vulnerabilities", "display_name": "T1588.006 - Vulnerabilities" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail" ], "TLP": "white", "cloned_from": "69ef8bc1ae6e9625756e05a8", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Retail" ] }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [], "industries": [ "Retail" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69ef8bc1ae6e9625756e05a8", "name": "Inside the Bulletproof Hosting Network Behind 16,000+ Fake Shops", "description": "Fibergrid has operated as a bulletproof hosting provider for nearly a decade, currently hosting 16,700 active fraudulent e-commerce sites. The network exploits stolen African IPv4 address space worth $20-25 million, originally acquired through improper AFRINIC registrations. Despite claiming Seychelles-based operations, multilateration analysis reveals infrastructure concentrated in the United States, United Kingdom, Netherlands, Canada, and other Western countries, primarily within Equinix data centers. Fibergrid operates through a complex web of UK and Estonian shell companies using multiple autonomous systems to evade detection and enforcement. Fake shops constitute 70% of malicious activity on this infrastructure, targeting consumers through search engines and social media with counterfeit goods and payment fraud schemes. Disruption opportunities exist through upstream provider intervention, regional internet registry action, domain-level takedowns, and indicator sharing with security providers.", "modified": "2026-04-27T16:30:02.826000", "created": "2026-04-27T16:16:01.047000", "tags": [ "fibergrid", "e-commerce fraud", "bulletproof hosting", "shell companies", "stolen ip addresses", "autonomous systems", "counterfeit goods", "fake shops", "afrinic" ], "references": [ "https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1588.006", "name": "Vulnerabilities", "display_name": "T1588.006 - Vulnerabilities" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386453, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f19287f2d640c360a377cb", "name": "Inside the Bulletproof Hosting Network Behind 16,000+ Fake Shops", "description": "", "modified": "2026-04-29T05:09:27.666000", "created": "2026-04-29T05:09:27.666000", "tags": [ "fibergrid", "e-commerce fraud", "bulletproof hosting", "shell companies", "stolen ip addresses", "autonomous systems", "counterfeit goods", "fake shops", "afrinic" ], "references": [ "https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1588.006", "name": "Vulnerabilities", "display_name": "T1588.006 - Vulnerabilities" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail" ], "TLP": "white", "cloned_from": "69ef8bc1ae6e9625756e05a8", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ultimateearsindia.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ultimateearsindia.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780176074.5762122 }