{ "type": "Domain", "indicator": "updateorg.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/updateorg.com", "alexa": "http://www.alexa.com/siteinfo/updateorg.com", "indicator": "updateorg.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1494862, "indicator": "updateorg.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "586e3cae3d7dcb215f630d90", "name": "Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford", "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.\n\nLater, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certificate\n\nBased on VirusTotal uploads, malicious documents content, and known victims \u2013 other targeted organizations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.", "modified": "2018-09-17T21:06:46.086000", "created": "2017-01-05T12:31:42.268000", "tags": [ "oxford", "olirig", "middle east", "VPN Web Portal", "Helminth", "clearskysec" ], "references": [ "http://www.clearskysec.com/oilrig/" ], "public": 1, "adversary": "OilRig", "targeted_countries": [ "Turkey", "Qatar", "Kuwait", "United Arab Emirates", "Saudi Arabia", "Lebanon" ], "malware_families": [], "attack_ids": [], "industries": [ "information technology", "government", "transportation" ], "TLP": "green", "cloned_from": null, "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 27, "FileHash-MD5": 22, "email": 10 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 386650, "modified_text": "2812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "590271ab91f09513c1dc4fd1", "name": "OilRig Actors Provide a Glimpse into Development and Testing Efforts", "description": "OilRig Actors Provide a Glimpse into Development and Testing Efforts\n\n\tBy Robert Falcone \nApril 27, 2017 at 1:00 PM \nCategory: Unit 42 Tags: Clayside, Helminth, OilRig attacks\n 336 (1) \nThroughout an attack campaign, actors will continue to develop their tools in an attempt to remain undetected and to carry out multiple attacks without having to completely retool. In regard to the attack lifecycle, development of tools occurs in the weaponization/staging phase that precedes the delivery phase, of which is typically the first opportunity we see the actors\u2019 activities as they interact directly with their target. We have been presented with a rare opportunity to see some development activities from the actors associated with the OilRig attack campaign, a campaign Unit 42 has been following since May 2016. Recently we were able to observe these actors making modifications to their ClaySlide delivery documents in an attempt to evade antivirus detection.", "modified": "2017-04-27T22:33:15.127000", "created": "2017-04-27T22:33:15.127000", "tags": [ "oilrig", "iran", "clayside" ], "references": [ "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/" ], "public": 1, "adversary": "OilRig", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386581, "modified_text": "3320 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "58de329c88c71500d0e660b8", "name": "OilRig Campaign Analysis", "description": "The earliest instance where a cyber attack was attributed to the OilRig\ncampaign was in late 2015. To date, two periods of high activity have been\nidentified following the initial attack. These were in May and October 2016.\nAll known samples from these periods used infected Excel files attached to\nphishing emails to infect victims. Once infected, the victim machine can be\ncontrolled by the attacker to perform basic remote-access trojan-like tasks\nincluding command execution and file upload and download.", "modified": "2017-03-31T10:42:35.637000", "created": "2017-03-31T10:42:35.637000", "tags": [ "iran", "oilrig" ], "references": [ "https://logrhythm.com/pdfs/threat-research/logrhythm-labs-oilrig-campaign-analysis.pdf" ], "public": 1, "adversary": "OilRig", "targeted_countries": [ "United States", "Saudi Arabia", "United Arab Emirates", "Qatar", "Turkey" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 9, "FileHash-SHA256": 26, "domain": 20, "URL": 8, "hostname": 1, "FileHash-MD5": 24, "FileHash-SHA1": 4 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 386668, "modified_text": "3348 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "16 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707a26e2f66cc507f0eb3c", "name": "OilRig Campaign Analysis", "description": "", "modified": "2023-12-06T13:41:58.409000", "created": "2023-12-06T13:41:58.409000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 26, "domain": 20, "FileHash-MD5": 24, "email": 9, "URL": 8, "hostname": 1, "FileHash-SHA1": 4 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707a0de5c6b07a44dbbad4", "name": "Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford", "description": "", "modified": "2023-12-06T13:41:33.476000", "created": "2023-12-06T13:41:33.476000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 27, "FileHash-MD5": 22, "email": 10 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6315d1959df8f2307fb2e6f0", "name": "OilRig Actors Provide a Glimpse into Development and Testing Efforts", "description": "", "modified": "2022-09-05T10:38:13.287000", "created": "2022-09-05T10:38:13.287000", "tags": [ "iteration", "june", "november", "figure", "incompatible", "vb script", "powershell", "variable", "oilrig" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1364 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.2.csv", "http://www.clearskysec.com/oilrig/", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", "https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", "https://logrhythm.com/pdfs/threat-research/logrhythm-labs-oilrig-campaign-analysis.pdf" ], "related": { "alienvault": { "adversary": [ "OilRig" ], "malware_families": [], "industries": [ "Information technology", "Government", "Finance", "Transportation" ] }, "other": { "adversary": [ "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares" ], "malware_families": [], "industries": [ "Government", "Defense", "Industrial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "586e3cae3d7dcb215f630d90", "name": "Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford", "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.\n\nLater, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certificate\n\nBased on VirusTotal uploads, malicious documents content, and known victims \u2013 other targeted organizations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.", "modified": "2018-09-17T21:06:46.086000", "created": "2017-01-05T12:31:42.268000", "tags": [ "oxford", "olirig", "middle east", "VPN Web Portal", "Helminth", "clearskysec" ], "references": [ "http://www.clearskysec.com/oilrig/" ], "public": 1, "adversary": "OilRig", "targeted_countries": [ "Turkey", "Qatar", "Kuwait", "United Arab Emirates", "Saudi Arabia", "Lebanon" ], "malware_families": [], "attack_ids": [], "industries": [ "information technology", "government", "transportation" ], "TLP": "green", "cloned_from": null, "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 27, "FileHash-MD5": 22, "email": 10 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 386650, "modified_text": "2812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "590271ab91f09513c1dc4fd1", "name": "OilRig Actors Provide a Glimpse into Development and Testing Efforts", "description": "OilRig Actors Provide a Glimpse into Development and Testing Efforts\n\n\tBy Robert Falcone \nApril 27, 2017 at 1:00 PM \nCategory: Unit 42 Tags: Clayside, Helminth, OilRig attacks\n 336 (1) \nThroughout an attack campaign, actors will continue to develop their tools in an attempt to remain undetected and to carry out multiple attacks without having to completely retool. In regard to the attack lifecycle, development of tools occurs in the weaponization/staging phase that precedes the delivery phase, of which is typically the first opportunity we see the actors\u2019 activities as they interact directly with their target. We have been presented with a rare opportunity to see some development activities from the actors associated with the OilRig attack campaign, a campaign Unit 42 has been following since May 2016. Recently we were able to observe these actors making modifications to their ClaySlide delivery documents in an attempt to evade antivirus detection.", "modified": "2017-04-27T22:33:15.127000", "created": "2017-04-27T22:33:15.127000", "tags": [ "oilrig", "iran", "clayside" ], "references": [ "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/" ], "public": 1, "adversary": "OilRig", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386581, "modified_text": "3320 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "58de329c88c71500d0e660b8", "name": "OilRig Campaign Analysis", "description": "The earliest instance where a cyber attack was attributed to the OilRig\ncampaign was in late 2015. To date, two periods of high activity have been\nidentified following the initial attack. These were in May and October 2016.\nAll known samples from these periods used infected Excel files attached to\nphishing emails to infect victims. Once infected, the victim machine can be\ncontrolled by the attacker to perform basic remote-access trojan-like tasks\nincluding command execution and file upload and download.", "modified": "2017-03-31T10:42:35.637000", "created": "2017-03-31T10:42:35.637000", "tags": [ "iran", "oilrig" ], "references": [ "https://logrhythm.com/pdfs/threat-research/logrhythm-labs-oilrig-campaign-analysis.pdf" ], "public": 1, "adversary": "OilRig", "targeted_countries": [ "United States", "Saudi Arabia", "United Arab Emirates", "Qatar", "Turkey" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 9, "FileHash-SHA256": 26, "domain": 20, "URL": 8, "hostname": 1, "FileHash-MD5": 24, "FileHash-SHA1": 4 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 386668, "modified_text": "3348 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "16 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707a26e2f66cc507f0eb3c", "name": "OilRig Campaign Analysis", "description": "", "modified": "2023-12-06T13:41:58.409000", "created": "2023-12-06T13:41:58.409000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 26, "domain": 20, "FileHash-MD5": 24, "email": 9, "URL": 8, "hostname": 1, "FileHash-SHA1": 4 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707a0de5c6b07a44dbbad4", "name": "Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford", "description": "", "modified": "2023-12-06T13:41:33.476000", "created": "2023-12-06T13:41:33.476000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 27, "FileHash-MD5": 22, "email": 10 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6315d1959df8f2307fb2e6f0", "name": "OilRig Actors Provide a Glimpse into Development and Testing Efforts", "description": "", "modified": "2022-09-05T10:38:13.287000", "created": "2022-09-05T10:38:13.287000", "tags": [ "iteration", "june", "november", "figure", "incompatible", "vb script", "powershell", "variable", "oilrig" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1364 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "updateorg.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "updateorg.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780248026.01766 }