{ "type": "Domain", "indicator": "validin.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/validin.com", "alexa": "http://www.alexa.com/siteinfo/validin.com", "indicator": "validin.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3750910594, "indicator": "validin.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699322538f5f568e2b4a5ada", "name": "Investigation on the EmEditor Supply Chain attack", "description": "The investigation into the EmEditor supply chain attack, highlighted in a report by Trend Micro, revolves around a rare type of cyber threat known as a watering hole attack, which specifically targets users of the EmEditor software. This tactic typically involves compromising websites frequented by the intended victims to serve malicious content or payloads.\n\nDuring the analysis phase, passive DNS resolution techniques were employed to trace additional IPs associated with the attack. The initial examination did not reveal any further URLs directly related to the command and control (C2) server identified by Trend Micro, which was http://cachingdrive.com, particularly the URL path \"/gate/init\". However, the investigation led to the discovery of a different domain with the path \"/gate/start/\", linked to a suspicious URL: hxxp://nc7d8p7u8j3n4hgm.com/gate/start/efeb550a. This suggests a potential expansion of the attack's infrastructure or alternative entry points.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:57:39.133000", "tags": [ "emeditor supply", "chain attack" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 5, "domain": 11, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68cd3e87c34598454648d266", "name": "Magecart Skimmer Analysis: From One Tweet to a Campaign.", "description": "Recent investigations into Magecart campaigns have revealed a sophisticated approach to malicious JavaScript injection aimed at skimming payment data from compromised ecommerce websites. The analysis began with an initial observation from a single tweet referencing the potential involvement of a Magecart-style operation specifically targeting http://cc-analytics.com. This prompted further inquiry into the methods used by threat actors.\n\nKey to understanding the attack technique was the deobfuscation of malicious scripts. Analysts utilized a debugging method by prefixing the script with \"debugger;\" and executing it in browser developer tools. Additionally, they employed Python to decode the obfuscated strings, which utilized hexadecimal values and \\x representations, thereby simplifying the extraction of relevant content.", "modified": "2025-10-19T11:00:08.739000", "created": "2025-09-19T11:29:11.054000", "tags": [ "urlscan", "point", "debugger", "python trick", "python", "collect credit", "process my", "dom reference", "ip address", "magecart" ], "references": [ "https://blog.himanshuanand.com/posts/15-09-2025-magecart-skimmer-analysis/" ], "public": 1, "adversary": "Magecart", "targeted_countries": [], "malware_families": [ { "id": "Magecart", "display_name": "Magecart", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" } ], "industries": [ "Ecommerce" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 15, "hostname": 27 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b29c921a7b263e139a4d1b", "name": "Sindoor Dropper: New Phishing Campaign.", "description": "The Sindoor Dropper campaign represents an evolved phishing attack primarily targeting organizations in India. This campaign bears similarities to previous strategies associated with APT36, also known as Transparent Tribe. The attack employs a distinct method that utilizes weaponized .desktop files, specifically designed for Linux systems, to facilitate initial access.\n\nThe phishing vector involves a malicious .desktop file that masquerades as a legitimate document, displaying an icon similar to that of a PDF file. This social engineering tactic is aimed at enticing users to execute the file, thus initiating the infection chain. Upon execution, the .desktop file triggers a series of actions that include downloading a decoy document, a corrupted decryptor, and an encrypted downloader.", "modified": "2025-08-30T06:39:14.041000", "created": "2025-08-30T06:39:14.041000", "tags": [ "sindoor dropper", "iocs", "meshagent", "linux", "file name", "aes decryptor", "url description", "elf obfuscation", "go build", "windows", "virustotal", "agent", "desktop" ], "references": [ "https://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MeshAgent", "display_name": "MeshAgent", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 1, "YARA": 4, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "274 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/", "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/", "IOCs2.csv", "https://blog.himanshuanand.com/posts/15-09-2025-magecart-skimmer-analysis/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Magecart", "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R" ], "malware_families": [ "Magecart", "Meshagent" ], "industries": [ "Ecommerce" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699322538f5f568e2b4a5ada", "name": "Investigation on the EmEditor Supply Chain attack", "description": "The investigation into the EmEditor supply chain attack, highlighted in a report by Trend Micro, revolves around a rare type of cyber threat known as a watering hole attack, which specifically targets users of the EmEditor software. This tactic typically involves compromising websites frequented by the intended victims to serve malicious content or payloads.\n\nDuring the analysis phase, passive DNS resolution techniques were employed to trace additional IPs associated with the attack. The initial examination did not reveal any further URLs directly related to the command and control (C2) server identified by Trend Micro, which was http://cachingdrive.com, particularly the URL path \"/gate/init\". However, the investigation led to the discovery of a different domain with the path \"/gate/start/\", linked to a suspicious URL: hxxp://nc7d8p7u8j3n4hgm.com/gate/start/efeb550a. This suggests a potential expansion of the attack's infrastructure or alternative entry points.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:57:39.133000", "tags": [ "emeditor supply", "chain attack" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 5, "domain": 11, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68cd3e87c34598454648d266", "name": "Magecart Skimmer Analysis: From One Tweet to a Campaign.", "description": "Recent investigations into Magecart campaigns have revealed a sophisticated approach to malicious JavaScript injection aimed at skimming payment data from compromised ecommerce websites. The analysis began with an initial observation from a single tweet referencing the potential involvement of a Magecart-style operation specifically targeting http://cc-analytics.com. This prompted further inquiry into the methods used by threat actors.\n\nKey to understanding the attack technique was the deobfuscation of malicious scripts. Analysts utilized a debugging method by prefixing the script with \"debugger;\" and executing it in browser developer tools. Additionally, they employed Python to decode the obfuscated strings, which utilized hexadecimal values and \\x representations, thereby simplifying the extraction of relevant content.", "modified": "2025-10-19T11:00:08.739000", "created": "2025-09-19T11:29:11.054000", "tags": [ "urlscan", "point", "debugger", "python trick", "python", "collect credit", "process my", "dom reference", "ip address", "magecart" ], "references": [ "https://blog.himanshuanand.com/posts/15-09-2025-magecart-skimmer-analysis/" ], "public": 1, "adversary": "Magecart", "targeted_countries": [], "malware_families": [ { "id": "Magecart", "display_name": "Magecart", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" } ], "industries": [ "Ecommerce" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 15, "hostname": 27 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b29c921a7b263e139a4d1b", "name": "Sindoor Dropper: New Phishing Campaign.", "description": "The Sindoor Dropper campaign represents an evolved phishing attack primarily targeting organizations in India. This campaign bears similarities to previous strategies associated with APT36, also known as Transparent Tribe. The attack employs a distinct method that utilizes weaponized .desktop files, specifically designed for Linux systems, to facilitate initial access.\n\nThe phishing vector involves a malicious .desktop file that masquerades as a legitimate document, displaying an icon similar to that of a PDF file. This social engineering tactic is aimed at enticing users to execute the file, thus initiating the infection chain. Upon execution, the .desktop file triggers a series of actions that include downloading a decoy document, a corrupted decryptor, and an encrypted downloader.", "modified": "2025-08-30T06:39:14.041000", "created": "2025-08-30T06:39:14.041000", "tags": [ "sindoor dropper", "iocs", "meshagent", "linux", "file name", "aes decryptor", "url description", "elf obfuscation", "go build", "windows", "virustotal", "agent", "desktop" ], "references": [ "https://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MeshAgent", "display_name": "MeshAgent", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 1, "YARA": 4, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "274 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "validin.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "validin.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780234755.9296958 }