{ "type": "Domain", "indicator": "updatee-facebok.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/updatee-facebok.com", "alexa": "http://www.alexa.com/siteinfo/updatee-facebok.com", "indicator": "updatee-facebok.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4011378607, "indicator": "updatee-facebok.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "682554f8cb8dd6dce4b839a7", "name": "Remcos extra", "description": "", "modified": "2025-12-25T20:49:21.712000", "created": "2025-05-15T02:44:08.231000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1206, "domain": 296, "hostname": 1036, "URL": 1854, "CVE": 2 }, "indicator_count": 4394, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6860fc2386d1a2e841746fde", "name": "Tracing Blind Eagle to Proton66.", "description": "The cyber threat group known as Blind Eagle, or APT-C-36, is closely linked with the Russian bulletproof hosting company Proton66 and is actively targeting organizations in Latin America, particularly Colombian financial institutions. Recent investigations have unveiled a significant operational infrastructure used by this group, characterized by extensive interconnections among various domains and IP addresses. Their modus operandi primarily utilizes Visual Basic Script (VBS) files as the initial attack vector and incorporates free Dynamic DNS (DDNS) services to facilitate operation.", "modified": "2025-07-29T08:03:41.236000", "created": "2025-06-29T08:41:07.783000", "tags": [ "trustwave", "blind eagle", "dark web", "login", "demo", "proton66", "rats", "new technology", "sector research", "reveals rising", "test", "global", "tools", "june", "august", "defender", "powershell", "remcos", "asyncrat" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "Singapore" ], "malware_families": [], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [ "Financial", "Banks" ], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 139, "domain": 5, "hostname": 35, "FileHash-SHA256": 69 }, "indicator_count": 248, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "307 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6774e823196d078c848ed0e7", "name": "Threat Intel Report - W52-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools. \n\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-01-31T06:04:58.629000", "created": "2025-01-01T07:00:51.580000", "tags": [ "mozi", "germany", "united kingdom", "asyncrat link", "russia", "brazil", "quakbot", "singapore", "week", "asyncrat", "ukraine", "mexico", "indonesia", "emmenhtal", "amadey", "play ransomware", "malware", "date", "paraguay", "slovakia", "first", "cryptbot", "lumma stealer", "alliance", "june", "android", "powershell" ], "references": [ "https://any.run/malware-trends/", "https://urlhaus.abuse.ch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 70, "hostname": 92, "URL": 223, "CVE": 1, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 16 }, "indicator_count": 426, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6758d6b3e0c841ad80ceb0f0", "name": "URLHaus data - 10-12-2024", "description": "", "modified": "2025-01-10T00:01:00.333000", "created": "2024-12-11T00:02:58.919000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "hajime", "mirai", "APT", "censys", "injector", "SilverFox", "ValleyRAT", "zip", "apk", "ascii", "powershell", "ps1", "redir-302", "Rhadamanthys", "exe", "bat", "SnakeKeylogger", "KongTuke", "FYU789", "pw-FYU789", "remcos", "AsyncRAT", "G6T3GD", "pw-G6T3GD", "Encoded", "opendir", "rev-base64-loader", "base64-loader", "vbs", "programmmersj69", "spymax", "SpyNote", "js", "MintsLoader" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 7, "hostname": 3 }, "indicator_count": 1010, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/", "https://urlhaus.abuse.ch/", "https://urlhaus.abuse.ch/browse/", "https://any.run/malware-trends/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Banks", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "682554f8cb8dd6dce4b839a7", "name": "Remcos extra", "description": "", "modified": "2025-12-25T20:49:21.712000", "created": "2025-05-15T02:44:08.231000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1206, "domain": 296, "hostname": 1036, "URL": 1854, "CVE": 2 }, "indicator_count": 4394, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6860fc2386d1a2e841746fde", "name": "Tracing Blind Eagle to Proton66.", "description": "The cyber threat group known as Blind Eagle, or APT-C-36, is closely linked with the Russian bulletproof hosting company Proton66 and is actively targeting organizations in Latin America, particularly Colombian financial institutions. Recent investigations have unveiled a significant operational infrastructure used by this group, characterized by extensive interconnections among various domains and IP addresses. Their modus operandi primarily utilizes Visual Basic Script (VBS) files as the initial attack vector and incorporates free Dynamic DNS (DDNS) services to facilitate operation.", "modified": "2025-07-29T08:03:41.236000", "created": "2025-06-29T08:41:07.783000", "tags": [ "trustwave", "blind eagle", "dark web", "login", "demo", "proton66", "rats", "new technology", "sector research", "reveals rising", "test", "global", "tools", "june", "august", "defender", "powershell", "remcos", "asyncrat" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "Singapore" ], "malware_families": [], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [ "Financial", "Banks" ], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 139, "domain": 5, "hostname": 35, "FileHash-SHA256": 69 }, "indicator_count": 248, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "307 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6774e823196d078c848ed0e7", "name": "Threat Intel Report - W52-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools. \n\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-01-31T06:04:58.629000", "created": "2025-01-01T07:00:51.580000", "tags": [ "mozi", "germany", "united kingdom", "asyncrat link", "russia", "brazil", "quakbot", "singapore", "week", "asyncrat", "ukraine", "mexico", "indonesia", "emmenhtal", "amadey", "play ransomware", "malware", "date", "paraguay", "slovakia", "first", "cryptbot", "lumma stealer", "alliance", "june", "android", "powershell" ], "references": [ "https://any.run/malware-trends/", "https://urlhaus.abuse.ch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 70, "hostname": 92, "URL": 223, "CVE": 1, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 16 }, "indicator_count": 426, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6758d6b3e0c841ad80ceb0f0", "name": "URLHaus data - 10-12-2024", "description": "", "modified": "2025-01-10T00:01:00.333000", "created": "2024-12-11T00:02:58.919000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "hajime", "mirai", "APT", "censys", "injector", "SilverFox", "ValleyRAT", "zip", "apk", "ascii", "powershell", "ps1", "redir-302", "Rhadamanthys", "exe", "bat", "SnakeKeylogger", "KongTuke", "FYU789", "pw-FYU789", "remcos", "AsyncRAT", "G6T3GD", "pw-G6T3GD", "Encoded", "opendir", "rev-base64-loader", "base64-loader", "vbs", "programmmersj69", "spymax", "SpyNote", "js", "MintsLoader" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 7, "hostname": 3 }, "indicator_count": 1010, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "updatee-facebok.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "updatee-facebok.com", "found": true, "verdict": "malicious", "url_count": 26, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://updatee-facebok.com/davivienda/img/Vigilado.png", "status": "offline", "threat": "malware_download", "date_added": "2024-12-17", "tags": [ "AsyncRAT" ] }, { "url": "http://updatee-facebok.com/davivienda/img/Logo-Davivienda-Blanco.png", "status": "offline", "threat": "malware_download", "date_added": "2024-12-17", "tags": [ "AsyncRAT" ] }, { "url": "http://updatee-facebok.com/davivienda/img/error.jpeg", "status": "offline", "threat": "malware_download", "date_added": "2024-12-17", "tags": [ "AsyncRAT" ] }, { "url": "http://updatee-facebok.com/davivienda/img/lemotiv.png", "status": "offline", "threat": "malware_download", "date_added": "2024-12-17", "tags": [ "AsyncRAT" ] }, { "url": "http://updatee-facebok.com/davivienda/img/davivienda-fondo1.jpg", "status": "offline", "threat": "malware_download", "date_added": "2024-12-17", "tags": [ "AsyncRAT" ] }, { "url": "http://updatee-facebok.com/davivienda/img/campana.jpeg", "status": "offline", "threat": "malware_download", "date_added": "2024-12-17", "tags": [ "AsyncRAT" ] }, { "url": "http://updatee-facebok.com/davivienda/script/script.js", "status": "offline", "threat": "malware_download", "date_added": "2024-12-17", "tags": [ "AsyncRAT" ] }, { "url": "http://updatee-facebok.com/bancolombia/img/logo_sve.gif", "status": "offline", "threat": "malware_download", "date_added": "2024-12-17", "tags": [ "AsyncRAT" ] }, { "url": "http://updatee-facebok.com/bancolombia/img/icono.jpg", "status": "offline", "threat": "malware_download", "date_added": "2024-12-17", "tags": [ "AsyncRAT" ] }, { "url": "http://updatee-facebok.com/davivienda/img/compartir.jpeg", "status": "offline", "threat": "malware_download", "date_added": "2024-12-17", "tags": [ "AsyncRAT" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780355747.7216313 }