{ "type": "Domain", "indicator": "validih.shop", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/validih.shop", "alexa": "http://www.alexa.com/siteinfo/validih.shop", "indicator": "validih.shop", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3602955005, "indicator": "validih.shop", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "63a23e0f836cbe86e53b447b", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-20T22:58:23.105000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 502, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 376711, "modified_text": "1181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1ee5c64dc0e2060647954", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-03-07T21:39:10.926000", "created": "2020-11-03T23:57:16.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 109043, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45549, "domain": 66426 }, "indicator_count": 111975, "is_author": false, "is_subscribing": null, "subscriber_count": 959, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d90549c1c51747a7e34358", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine (by AlienVault) enriched", "description": "", "modified": "2024-09-05T01:11:35.635000", "created": "2024-09-05T01:11:35.635000", "tags": [], "references": [ "63a23e0f836cbe86e53b447b.csv", "https://unit42.paloaltonetworks.com/trident-ursa/" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 152, "FileHash-SHA1": 153, "FileHash-SHA256": 238, "URL": 2890, "domain": 557, "hostname": 1230 }, "indicator_count": 5220, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "586 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5461ad2cb2f9e8d342d", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:06.188000", "created": "2024-02-06T22:40:06.188000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b543bc2adfd3eca5ff2b", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:03.501000", "created": "2024-02-06T22:40:03.501000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5405e6e9e23324e6d8e", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:00.906000", "created": "2024-02-06T22:40:00.906000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2cca0231f4704fb04c1c8", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-20T09:00:00.250000", "created": "2022-12-21T09:06:40.834000", "tags": [ "domain", "ip address", "sample", "url https", "Gamaredon" ], "references": [ "https://raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "URL": 17, "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 241, "domain": 564 }, "indicator_count": 1046, "is_author": false, "is_subscribing": null, "subscriber_count": 843, "modified_text": "1180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2aa8a89150b046cc1e835", "name": "Russia\u2019s Trident Ursa ( Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-21T06:41:14.278000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": "63a23e0f836cbe86e53b447b", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "1181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2d2a332d80ccb63f9ad94", "name": "Russia\u2019s Trident Ursa ( Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-21T09:32:19.584000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": "63a2aa8a89150b046cc1e835", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "1181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1d1716eb178021b496cf5", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "Unit 42, a Palo Alto Networks cybersecurity research team, provides an update on Russia's advanced persistent threat (APT) group, Trident Ursa, which invaded Ukraine in February 2014 and continues to operate in cyberspace.", "modified": "2023-01-19T15:03:30.493000", "created": "2022-12-20T15:14:57.164000", "tags": [ "threatactor/gamaredon", "threatactor/tridentursa", "threatactor.primitivebear", "threatactor/actinium" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/#post-126209-_dyzu0g9z3zwx", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 102, "FileHash-SHA256": 255, "URL": 4, "domain": 578, "hostname": 7 }, "indicator_count": 1047, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/#post-126209-_dyzu0g9z3zwx", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "https://unit42.paloaltonetworks.com/trident-ursa/", "63a23e0f836cbe86e53b447b.csv", "https://raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "related": { "alienvault": { "adversary": [ "Trident Ursa" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Trident Ursa", "Gamaredon" ], "malware_families": [ "Shadow chaser" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "63a23e0f836cbe86e53b447b", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-20T22:58:23.105000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 502, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 376711, "modified_text": "1181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1ee5c64dc0e2060647954", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-03-07T21:39:10.926000", "created": "2020-11-03T23:57:16.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 109043, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45549, "domain": 66426 }, "indicator_count": 111975, "is_author": false, "is_subscribing": null, "subscriber_count": 959, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d90549c1c51747a7e34358", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine (by AlienVault) enriched", "description": "", "modified": "2024-09-05T01:11:35.635000", "created": "2024-09-05T01:11:35.635000", "tags": [], "references": [ "63a23e0f836cbe86e53b447b.csv", "https://unit42.paloaltonetworks.com/trident-ursa/" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 152, "FileHash-SHA1": 153, "FileHash-SHA256": 238, "URL": 2890, "domain": 557, "hostname": 1230 }, "indicator_count": 5220, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "586 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5461ad2cb2f9e8d342d", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:06.188000", "created": "2024-02-06T22:40:06.188000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b543bc2adfd3eca5ff2b", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:03.501000", "created": "2024-02-06T22:40:03.501000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5405e6e9e23324e6d8e", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:00.906000", "created": "2024-02-06T22:40:00.906000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2cca0231f4704fb04c1c8", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-20T09:00:00.250000", "created": "2022-12-21T09:06:40.834000", "tags": [ "domain", "ip address", "sample", "url https", "Gamaredon" ], "references": [ "https://raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "URL": 17, "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 241, "domain": 564 }, "indicator_count": 1046, "is_author": false, "is_subscribing": null, "subscriber_count": 843, "modified_text": "1180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2aa8a89150b046cc1e835", "name": "Russia\u2019s Trident Ursa ( Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-21T06:41:14.278000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": "63a23e0f836cbe86e53b447b", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "1181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2d2a332d80ccb63f9ad94", "name": "Russia\u2019s Trident Ursa ( Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-21T09:32:19.584000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": "63a2aa8a89150b046cc1e835", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "1181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1d1716eb178021b496cf5", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "Unit 42, a Palo Alto Networks cybersecurity research team, provides an update on Russia's advanced persistent threat (APT) group, Trident Ursa, which invaded Ukraine in February 2014 and continues to operate in cyberspace.", "modified": "2023-01-19T15:03:30.493000", "created": "2022-12-20T15:14:57.164000", "tags": [ "threatactor/gamaredon", "threatactor/tridentursa", "threatactor.primitivebear", "threatactor/actinium" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/#post-126209-_dyzu0g9z3zwx", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 102, "FileHash-SHA256": 255, "URL": 4, "domain": 578, "hostname": 7 }, "indicator_count": 1047, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "type": "Domain", "indicator": "validih.shop", "stats": { "malicious": 16, "suspicious": 0, "harmless": 45, "undetected": 33, "total": 94, "verdict": "malicious", "ratio": "16/94" }, "verdict": "malicious", "ratio": "16/94", "registrar": "Registrar of domain names REG.RU", "creation_date": 1670912488, "reputation": 0, "tags": [], "categories": {}, "top_detections": [ { "vendor": "ADMINUSLabs", "result": "malicious", "category": "malicious" }, { "vendor": "Antiy-AVL", "result": "malicious", "category": "malicious" }, { "vendor": "BitDefender", "result": "phishing", "category": "malicious" }, { "vendor": "CRDF", "result": "malicious", "category": "malicious" }, { "vendor": "Chong Lua Dao", "result": "malicious", "category": "malicious" }, { "vendor": "CyRadar", "result": "malicious", "category": "malicious" }, { "vendor": "ESET", "result": "malware", "category": "malicious" }, { "vendor": "Forcepoint ThreatSeeker", "result": "malicious", "category": "malicious" }, { "vendor": "Fortinet", "result": "malware", "category": "malicious" }, { "vendor": "G-Data", "result": "phishing", "category": "malicious" } ], "last_analysis": 1775192652, "error": null }, "abuseipdb": null, "urlhaus": { "indicator": "validih.shop", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776212540.9521315 }