{ "type": "Domain", "indicator": "visualstudiomacupdate.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/visualstudiomacupdate.com", "alexa": "http://www.alexa.com/siteinfo/visualstudiomacupdate.com", "indicator": "visualstudiomacupdate.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3842514339, "indicator": "visualstudiomacupdate.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "67bf4431daee3fb074cce3dd", "name": "North Korean-Linked macOS Malware Targets Cryptocurrency Sector with RustDoor and Koi Stealer", "description": "A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. The malware suite includes \"RustDoor,\" a Rust-based backdoor masquerading as legitimate software updates, and a previously undocumented macOS variant of \"Koi Stealer,\" designed to exfiltrate sensitive information", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-26T16:41:21.362000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386852, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d5bd95f7d242057eaea534", "name": "RustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected Cybercriminal", "description": "This report analyzes new macOS and Windows malware named RustDoor and GateDoor that are disguised as legitimate software updates. The malware communicates with C2 servers and can steal information, download files, and execute commands. The malware infrastructure appears related to the ShadowSyndicate cybercrime group.", "modified": "2024-03-22T09:05:08.625000", "created": "2024-02-21T09:08:37.285000", "tags": [ "macOS", "windows", "backdoor", "loader", "rust", "golang" ], "references": [ "https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40" ], "public": 1, "adversary": "ShadowSindicate", "targeted_countries": [], "malware_families": [ { "id": "RustDoor", "display_name": "RustDoor", "target": null }, { "id": "GateDoor", "display_name": "GateDoor", "target": null } ], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 427, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 34, "FileHash-SHA256": 45, "domain": 9 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 386851, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6890a840ec25470253f81c40", "name": "asdffg", "description": "", "modified": "2025-09-03T12:05:03.081000", "created": "2025-08-04T12:32:00.029000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 7, "hostname": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688e34f75fa052ff5a9fbb4d", "name": "Shadow syndicate infrastructure illumination", "description": "ShadowSyndicate has emerged as a notable threat actor in the ransomware-as-a-service (RaaS) landscape, utilizing a sophisticated network primarily based in Europe and allegedly operated from Russia. This group has been linked to prominent ransomware families such as Lockbit and Cl0p, characterized by a consistent Secure Shell (SSH) fingerprint across their servers that enhances their operational security and resilience against law enforcement. The group demonstrates connections to state-sponsored actors from China and North Korea, employing tactics that blend ransomware deployment with information manipulation strategies, particularly in socio-political contexts, including hack-and-leak operations targeting political figures during sensitive events like U.S. elections.", "modified": "2025-09-01T15:02:58.791000", "created": "2025-08-02T15:55:35.485000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-31072025-ShadowSyndicate-infrastructure-illumination-EN-1.pdf" ], "public": 1, "adversary": "ShadowSyndicate", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [ "Finance", "military", "Logistic", "Government", "Petroleum", "entertaiment", "Healthcare", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 25, "CVE": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "URL": 11, "domain": 68, "email": 21, "hostname": 18 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c379a0e8a81219786ce9b7", "name": "BlueNoroff Targets macOS Cryptocurrency Users with Contagious Interview Campaign", "description": "", "modified": "2025-03-31T21:00:21.690000", "created": "2025-03-01T21:18:24.008000", "tags": [ "hxxps", "urls", "confidential", "p age", "hash", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "domain": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c3782d7d7e4cada54a045f", "name": "DeceptiveDevelopment Targets Cryptocurrency Developers with Fake Job Interviews", "description": "", "modified": "2025-03-31T21:00:21.690000", "created": "2025-03-01T21:12:13.073000", "tags": [ "hxxps", "compromise", "urls", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "domain": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c00d03934a9b34538207c9", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-27T06:58:11.901000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": "67bffe94eeea55f19bc590c7", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bffe94eeea55f19bc590c7", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-27T05:56:36.853000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": "67bf4431daee3fb074cce3dd", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bf119ff06473a3d9f47c79", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "Palo Alto Networks research has identified two new variants of malware targeting macOS, as well as a previously undocumented variant of a similar family family known as Koi Stealer, used by a North Korean threat actor.", "modified": "2025-03-28T13:01:13.638000", "created": "2025-02-26T13:05:35.516000", "tags": [ "koi stealer", "cortex xdr", "rustdoor", "c2 server", "unit", "figure", "applescript", "palo alto", "networks", "studio", "malware", "discord", "alliance", "infostealer", "rust", "download", "macho", "redline stealer", "stealer", "steam", "sentinel", "bluenoroff", "nullmixer", "rustbucket", "windows", "windows koi", "macos", "koi" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "RustDoor", "targeted_countries": [], "malware_families": [ { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "RustDoor", "display_name": "RustDoor", "target": null }, { "id": "Windows Koi", "display_name": "Windows Koi", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Koi", "display_name": "Koi", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 16, "URL": 6, "domain": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6650daa6e36fb1ef72c728c1", "name": "The Malware Hiding in The JAVS Viewer Installer", "description": "CYBER THREAT & InTELLIGENCE AWARENESS 2017: Pages 1 and 2.9.8.5m (0.7m) on Facebook, Twitter and Instagram.", "modified": "2024-06-23T18:03:20.415000", "created": "2024-05-24T18:21:26.790000", "tags": [ "cyber threat", "time", "crypto cyber", "defence", "page" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 44, "FileHash-SHA256": 45, "domain": 8 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "708 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660141d31c21a51dd7d87184", "name": "RustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected Cybercriminal", "description": "", "modified": "2024-03-25T09:20:19.283000", "created": "2024-03-25T09:20:19.283000", "tags": [ "macOS", "windows", "backdoor", "loader", "rust", "golang" ], "references": [ "https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40" ], "public": 1, "adversary": "ShadowSindicate", "targeted_countries": [], "malware_families": [ { "id": "RustDoor", "display_name": "RustDoor", "target": null }, { "id": "GateDoor", "display_name": "GateDoor", "target": null } ], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65fb57a5a23596bc19e06c21", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 34, "FileHash-SHA256": 45, "domain": 9 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "799 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fb57a5a23596bc19e06c21", "name": "RustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected Cybercriminal", "description": "", "modified": "2024-03-22T09:05:08.625000", "created": "2024-03-20T21:39:49.026000", "tags": [ "macOS", "windows", "backdoor", "loader", "rust", "golang" ], "references": [ "https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40" ], "public": 1, "adversary": "ShadowSindicate", "targeted_countries": [], "malware_families": [ { "id": "RustDoor", "display_name": "RustDoor", "target": null }, { "id": "GateDoor", "display_name": "GateDoor", "target": null } ], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65d5bd95f7d242057eaea534", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 34, "FileHash-SHA256": 45, "domain": 9 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d36f8ae2b434eff1b6fde9", "name": "RustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected Cybercriminal", "description": "", "modified": "2024-03-20T15:03:17.575000", "created": "2024-02-19T15:11:06.171000", "tags": [ "rustdoor", "gatedoor", "c server", "golang", "rust", "apple", "base c2", "december", "bitdefender", "dict", "virustotal", "talon", "downloader", "august", "path", "keepalive", "download", "RustDoor", "GateDoor" ], "references": [ "https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 35, "FileHash-SHA1": 34, "FileHash-SHA256": 47, "URL": 2, "domain": 9 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "803 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-31072025-ShadowSyndicate-infrastructure-illumination-EN-1.pdf", "https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40", "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "related": { "alienvault": { "adversary": [ "ShadowSindicate" ], "malware_families": [ "Koi stealer", "Gatedoor", "Rustdoor" ], "industries": [] }, "other": { "adversary": [ "ShadowSindicate", "RustDoor", "ShadowSyndicate" ], "malware_families": [ "Windows", "Gatedoor", "Macos", "Rustbucket", "Koi stealer", "Rustdoor", "Koi", "Windows koi" ], "industries": [ "Finance", "Entertaiment", "Logistic", "Healthcare", "Military", "Telecommunications", "Petroleum", "Cryptocurrency", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "67bf4431daee3fb074cce3dd", "name": "North Korean-Linked macOS Malware Targets Cryptocurrency Sector with RustDoor and Koi Stealer", "description": "A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. The malware suite includes \"RustDoor,\" a Rust-based backdoor masquerading as legitimate software updates, and a previously undocumented macOS variant of \"Koi Stealer,\" designed to exfiltrate sensitive information", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-26T16:41:21.362000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386852, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d5bd95f7d242057eaea534", "name": "RustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected Cybercriminal", "description": "This report analyzes new macOS and Windows malware named RustDoor and GateDoor that are disguised as legitimate software updates. The malware communicates with C2 servers and can steal information, download files, and execute commands. The malware infrastructure appears related to the ShadowSyndicate cybercrime group.", "modified": "2024-03-22T09:05:08.625000", "created": "2024-02-21T09:08:37.285000", "tags": [ "macOS", "windows", "backdoor", "loader", "rust", "golang" ], "references": [ "https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40" ], "public": 1, "adversary": "ShadowSindicate", "targeted_countries": [], "malware_families": [ { "id": "RustDoor", "display_name": "RustDoor", "target": null }, { "id": "GateDoor", "display_name": "GateDoor", "target": null } ], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 427, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 34, "FileHash-SHA256": 45, "domain": 9 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 386851, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6890a840ec25470253f81c40", "name": "asdffg", "description": "", "modified": "2025-09-03T12:05:03.081000", "created": "2025-08-04T12:32:00.029000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 7, "hostname": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688e34f75fa052ff5a9fbb4d", "name": "Shadow syndicate infrastructure illumination", "description": "ShadowSyndicate has emerged as a notable threat actor in the ransomware-as-a-service (RaaS) landscape, utilizing a sophisticated network primarily based in Europe and allegedly operated from Russia. This group has been linked to prominent ransomware families such as Lockbit and Cl0p, characterized by a consistent Secure Shell (SSH) fingerprint across their servers that enhances their operational security and resilience against law enforcement. The group demonstrates connections to state-sponsored actors from China and North Korea, employing tactics that blend ransomware deployment with information manipulation strategies, particularly in socio-political contexts, including hack-and-leak operations targeting political figures during sensitive events like U.S. elections.", "modified": "2025-09-01T15:02:58.791000", "created": "2025-08-02T15:55:35.485000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-31072025-ShadowSyndicate-infrastructure-illumination-EN-1.pdf" ], "public": 1, "adversary": "ShadowSyndicate", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [ "Finance", "military", "Logistic", "Government", "Petroleum", "entertaiment", "Healthcare", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 25, "CVE": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "URL": 11, "domain": 68, "email": 21, "hostname": 18 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c379a0e8a81219786ce9b7", "name": "BlueNoroff Targets macOS Cryptocurrency Users with Contagious Interview Campaign", "description": "", "modified": "2025-03-31T21:00:21.690000", "created": "2025-03-01T21:18:24.008000", "tags": [ "hxxps", "urls", "confidential", "p age", "hash", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "domain": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c3782d7d7e4cada54a045f", "name": "DeceptiveDevelopment Targets Cryptocurrency Developers with Fake Job Interviews", "description": "", "modified": "2025-03-31T21:00:21.690000", "created": "2025-03-01T21:12:13.073000", "tags": [ "hxxps", "compromise", "urls", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "domain": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c00d03934a9b34538207c9", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-27T06:58:11.901000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": "67bffe94eeea55f19bc590c7", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bffe94eeea55f19bc590c7", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "", "modified": "2025-03-28T16:01:16.059000", "created": "2025-02-27T05:56:36.853000", "tags": [ "koi stealer", "studio helper", "rustdoor c2", "cryptocurrencies", "macos", "apt", "rust" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Koi Stealer", "display_name": "Koi Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "white", "cloned_from": "67bf4431daee3fb074cce3dd", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 15, "URL": 2, "domain": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bf119ff06473a3d9f47c79", "name": "RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector", "description": "Palo Alto Networks research has identified two new variants of malware targeting macOS, as well as a previously undocumented variant of a similar family family known as Koi Stealer, used by a North Korean threat actor.", "modified": "2025-03-28T13:01:13.638000", "created": "2025-02-26T13:05:35.516000", "tags": [ "koi stealer", "cortex xdr", "rustdoor", "c2 server", "unit", "figure", "applescript", "palo alto", "networks", "studio", "malware", "discord", "alliance", "infostealer", "rust", "download", "macho", "redline stealer", "stealer", "steam", "sentinel", "bluenoroff", "nullmixer", "rustbucket", "windows", "windows koi", "macos", "koi" ], "references": [ "https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/" ], "public": 1, "adversary": "RustDoor", "targeted_countries": [], "malware_families": [ { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "RustDoor", "display_name": "RustDoor", "target": null }, { "id": "Windows Koi", "display_name": "Windows Koi", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Koi", "display_name": "Koi", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 16, "URL": 6, "domain": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "visualstudiomacupdate.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "visualstudiomacupdate.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780392514.9244792 }