{ "type": "Domain", "indicator": "verify-facebook.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/verify-facebook.com", "alexa": "http://www.alexa.com/siteinfo/verify-facebook.com", "indicator": "verify-facebook.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 208999959, "indicator": "verify-facebook.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "68d6996d3fa5189b9e5bce76", "name": "IOCs for phishing campaign using BitM pages", "description": "This intelligence report focuses on a phishing campaign that utilizes Browser-in-the-Middle (BitM) pages. The campaign likely involves sophisticated tactics to intercept and manipulate browser traffic, potentially allowing attackers to harvest credentials or inject malicious content. While specific details are not provided, the use of BitM techniques suggests a high level of technical sophistication and a targeted approach to compromising user data. The report appears to include Indicators of Compromise (IOCs) related to this campaign, which could be crucial for detecting and mitigating the threat.", "modified": "2025-10-26T13:04:29.817000", "created": "2025-09-26T13:47:25.539000", "tags": [ "browser-in-the-middle", "phishing", "bitm" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 12, "domain": 167, "hostname": 24 }, "indicator_count": 205, "is_author": false, "is_subscribing": null, "subscriber_count": 386592, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5a26d621cdfd16043af60a9a", "name": "Iranian cyber espionage against HBO, human rights activists, academic researchers and media outlets", "description": "Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes\ntheir vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation,\nmade up organizations and individuals, spear phishing and watering hole attacks. We analyze their\nexploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware\ndeveloped by the attackers, which has not been publicly documented to date.", "modified": "2017-12-05T17:23:45.194000", "created": "2017-12-05T17:23:45.194000", "tags": [ "rocket kitten", "Turk Black Hat", "irgc", "iran" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [ "Israel" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "NGO", "Human Rights", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 28, "domain": 219, "FileHash-SHA256": 6, "URL": 4, "hostname": 216, "FileHash-MD5": 45, "FileHash-SHA1": 8 }, "indicator_count": 526, "is_author": false, "is_subscribing": null, "subscriber_count": 386705, "modified_text": "3099 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-06-01T00:38:49.108000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "2 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6890294672c3c1090b7ee518", "name": "Phishing Attack Spoofs Facebook Login Page to Capture Credentials [by AustinBH]", "description": "", "modified": "2025-08-04T03:30:14.271000", "created": "2025-08-04T03:30:14.271000", "tags": [ "july", "cyber security", "aman mishra", "facebook login", "google forms", "facebook", "bitb", "security", "checklist", "fake error", "red ransomware", "twitter", "june", "beware", "friday", "phishing", "teamviewer" ], "references": [ "https://gbhackers.com/phishing-attack-spoofs-facebook-login-page/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6883f17d9b858a83aab3fc68", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "300 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650f1136a4ca758ba1611a", "name": "Iranian APT actor-APT35 pt2", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:50:57.084000", "tags": [], "references": [ "APT35 pt2.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 331, "email": 5, "hostname": 412 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686510765c13a0e97e20cb9c", "name": "Iranian APT actor-APT35 pt3", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:56:54.075000", "tags": [], "references": [ "APT35 pt3.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 103, "FileHash-SHA256": 106, "CVE": 6, "domain": 337, "email": 4, "hostname": 229 }, "indicator_count": 909, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6883f17d9b858a83aab3fc68", "name": "Phishing Attack Spoofs Facebook Login Page to Capture Credentials", "description": "", "modified": "2025-07-25T21:05:01.895000", "created": "2025-07-25T21:05:01.895000", "tags": [ "july", "cyber security", "aman mishra", "facebook login", "google forms", "facebook", "bitb", "security", "checklist", "fake error", "red ransomware", "twitter", "june", "beware", "friday", "phishing", "teamviewer" ], "references": [ "https://gbhackers.com/phishing-attack-spoofs-facebook-login-page/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "310 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da2a443f27d56616b9a530", "name": "Charming Kitten", "description": "A report by ClearSky Cyber Security, 2017, exposes a vast Iranian cyberespionage apparatus, which targets human rights activists, academic researchers and media outlets, and exposes the connection between an Iranian national recently indicted for hacking HBO.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-22T04:40:36.129000", "tags": [ "downpaper", "magichound.retriever", "rocket kitten", "flying kitten" ], "references": [ "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [ "Saudi Arabia", "Denmark", "India", "United Arab Emirates", "Switzerland", "Germany", "France", "Turkey", "Israel", "United States of America", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "DownPaper", "display_name": "DownPaper", "target": null }, { "id": "MAGICHOUND.RETRIEVER", "display_name": "MAGICHOUND.RETRIEVER", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Government", "Energy", "Journalists", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "FileHash-SHA1": 45, "FileHash-SHA256": 45, "URL": 9, "domain": 313, "email": 5, "hostname": 224 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "1381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://gbhackers.com/phishing-attack-spoofs-facebook-login-page/", "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt", "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "APT35 pt3.pdf", "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "APT35 pt2.pdf" ], "related": { "alienvault": { "adversary": [ "Charming Kitten" ], "malware_families": [], "industries": [ "Education", "Media", "Human rights", "Ngo" ] }, "other": { "adversary": [ "Rocket Kitten", "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage" ], "malware_families": [ "Downpaper", "Magichound.retriever" ], "industries": [ "Technology", "Defense", "Government", "Journalists", "Media", "Energy", "Industrial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "68d6996d3fa5189b9e5bce76", "name": "IOCs for phishing campaign using BitM pages", "description": "This intelligence report focuses on a phishing campaign that utilizes Browser-in-the-Middle (BitM) pages. The campaign likely involves sophisticated tactics to intercept and manipulate browser traffic, potentially allowing attackers to harvest credentials or inject malicious content. While specific details are not provided, the use of BitM techniques suggests a high level of technical sophistication and a targeted approach to compromising user data. The report appears to include Indicators of Compromise (IOCs) related to this campaign, which could be crucial for detecting and mitigating the threat.", "modified": "2025-10-26T13:04:29.817000", "created": "2025-09-26T13:47:25.539000", "tags": [ "browser-in-the-middle", "phishing", "bitm" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 12, "domain": 167, "hostname": 24 }, "indicator_count": 205, "is_author": false, "is_subscribing": null, "subscriber_count": 386592, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5a26d621cdfd16043af60a9a", "name": "Iranian cyber espionage against HBO, human rights activists, academic researchers and media outlets", "description": "Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes\ntheir vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation,\nmade up organizations and individuals, spear phishing and watering hole attacks. We analyze their\nexploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware\ndeveloped by the attackers, which has not been publicly documented to date.", "modified": "2017-12-05T17:23:45.194000", "created": "2017-12-05T17:23:45.194000", "tags": [ "rocket kitten", "Turk Black Hat", "irgc", "iran" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [ "Israel" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "NGO", "Human Rights", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 28, "domain": 219, "FileHash-SHA256": 6, "URL": 4, "hostname": 216, "FileHash-MD5": 45, "FileHash-SHA1": 8 }, "indicator_count": 526, "is_author": false, "is_subscribing": null, "subscriber_count": 386705, "modified_text": "3099 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-06-01T00:38:49.108000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "2 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6890294672c3c1090b7ee518", "name": "Phishing Attack Spoofs Facebook Login Page to Capture Credentials [by AustinBH]", "description": "", "modified": "2025-08-04T03:30:14.271000", "created": "2025-08-04T03:30:14.271000", "tags": [ "july", "cyber security", "aman mishra", "facebook login", "google forms", "facebook", "bitb", "security", "checklist", "fake error", "red ransomware", "twitter", "june", "beware", "friday", "phishing", "teamviewer" ], "references": [ "https://gbhackers.com/phishing-attack-spoofs-facebook-login-page/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6883f17d9b858a83aab3fc68", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "300 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650f1136a4ca758ba1611a", "name": "Iranian APT actor-APT35 pt2", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:50:57.084000", "tags": [], "references": [ "APT35 pt2.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 331, "email": 5, "hostname": 412 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686510765c13a0e97e20cb9c", "name": "Iranian APT actor-APT35 pt3", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:56:54.075000", "tags": [], "references": [ "APT35 pt3.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 103, "FileHash-SHA256": 106, "CVE": 6, "domain": 337, "email": 4, "hostname": 229 }, "indicator_count": 909, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6883f17d9b858a83aab3fc68", "name": "Phishing Attack Spoofs Facebook Login Page to Capture Credentials", "description": "", "modified": "2025-07-25T21:05:01.895000", "created": "2025-07-25T21:05:01.895000", "tags": [ "july", "cyber security", "aman mishra", "facebook login", "google forms", "facebook", "bitb", "security", "checklist", "fake error", "red ransomware", "twitter", "june", "beware", "friday", "phishing", "teamviewer" ], "references": [ "https://gbhackers.com/phishing-attack-spoofs-facebook-login-page/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "310 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da2a443f27d56616b9a530", "name": "Charming Kitten", "description": "A report by ClearSky Cyber Security, 2017, exposes a vast Iranian cyberespionage apparatus, which targets human rights activists, academic researchers and media outlets, and exposes the connection between an Iranian national recently indicted for hacking HBO.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-22T04:40:36.129000", "tags": [ "downpaper", "magichound.retriever", "rocket kitten", "flying kitten" ], "references": [ "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [ "Saudi Arabia", "Denmark", "India", "United Arab Emirates", "Switzerland", "Germany", "France", "Turkey", "Israel", "United States of America", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "DownPaper", "display_name": "DownPaper", "target": null }, { "id": "MAGICHOUND.RETRIEVER", "display_name": "MAGICHOUND.RETRIEVER", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Government", "Energy", "Journalists", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "FileHash-SHA1": 45, "FileHash-SHA256": 45, "URL": 9, "domain": 313, "email": 5, "hostname": 224 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "1381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "verify-facebook.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "verify-facebook.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780274465.932753 }