{ "type": "Domain", "indicator": "web3-authframe.top", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/web3-authframe.top", "alexa": "http://www.alexa.com/siteinfo/web3-authframe.top", "indicator": "web3-authframe.top", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4018217965, "indicator": "web3-authframe.top", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "67b31942143b95827551dee8", "name": "Don't Ghost the SocGholish: GhostWeaver Backdoor", "description": "The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal sensitive information, including browser credentials, cryptocurrency wallet data, and Outlook contents. The malware utilizes advanced techniques such as process injection, JA3 fingerprint manipulation, and web injection to evade detection and intercept user data. The attackers primarily target non-AD-joined machines, suggesting a focus on smaller organizations or individual users with weaker security measures.", "modified": "2025-03-19T11:05:48.444000", "created": "2025-02-17T11:10:58.724000", "tags": [ "credential theft", "ghostweaver", "boinc", "cryptocurrency", "web injection", "juniper stealer", "socgholish", "powershell", "fakeupdates", "mintsloader", "backdoor", "netsupport rat" ], "references": [ "https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983" ], "public": 1, "adversary": "UNC4108", "targeted_countries": [], "malware_families": [ { "id": "SocGholish - S1124", "display_name": "SocGholish - S1124", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "BOINC", "display_name": "BOINC", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Juniper Stealer", "display_name": "Juniper Stealer", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 3, "FileHash-SHA256": 1, "URL": 4, "domain": 3 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386482, "modified_text": "437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689481dbbbd16703c99f5f10", "name": "Collection of Malware (MintsLoader & SocGholish)", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:37:15.375000", "tags": [], "references": [ "Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 211, "URL": 115, "domain": 104, "hostname": 37 }, "indicator_count": 619, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b400473e34e8cfea87c7d2", "name": "TTP - Don't Ghost the SocGholish: GhostWeaver Backdoor", "description": "\u672c\u6587\u7531 TRAC Labs \u64b0\u5199\uff0c\u6df1\u5165\u5206\u6790\u4e86 SocGholish\uff08\u53c8\u79f0 FakeUpdates\uff09\u6076\u610f\u8f6f\u4ef6\u7684\u5b8c\u6574\u611f\u67d3\u94fe\uff0c\u5e76\u63d0\u4f9b\u68c0\u6d4b\u89c4\u5219\u53ca\u5165\u4fb5\u6307\u6807\uff08IoCs\uff09\u3002\u653b\u51fb\u8005\u5229\u7528\u53d7\u611f\u67d3\u7f51\u7ad9\u6295\u653e\u4f2a\u9020\u6d4f\u89c8\u5668\u66f4\u65b0\uff0c\u8bf1\u5bfc\u7528\u6237\u4e0b\u8f7d\u6076\u610f JavaScript\uff08JS\uff09\u6587\u4ef6\uff0c\u4ece\u800c\u89e6\u53d1\u4e00\u7cfb\u5217\u653b\u51fb\u6d41\u7a0b\uff0c\u5305\u62ec\uff1a\n\nMintsLoader \u90e8\u7f72\uff1a\u4e0b\u8f7d\u5e76\u6267\u884c\u6df7\u6dc6\u7684 JavaScript \u52a0\u8f7d\u5668\u3002\nGhostWeaver \u540e\u95e8\u690d\u5165\uff1a\u4f7f\u7528 PowerShell \u8fd0\u884c\u540e\u95e8\uff0c\u5efa\u7acb C2 \u901a\u4fe1\u3002\n\u63d2\u4ef6\u6267\u884c\u4e0e\u6570\u636e\u7a83\u53d6\uff1a\u52a0\u8f7d\u591a\u4e2a\u63d2\u4ef6\uff0c\u7a83\u53d6\u51ed\u636e\u3001\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u53ca\u7f51\u9875\u6570\u636e\u3002\n\u6301\u4e45\u5316\u4e0e\u53cd\u68c0\u6d4b\u673a\u5236\uff1a\u52a8\u6001 DGA \u57df\u540d\u751f\u6210\u3001\u7ed5\u8fc7\u8bc1\u4e66\u9a8c\u8bc1\u3001JA3 \u6307\u7eb9\u89c4\u907f\u7b49\u6280\u672f\u3002\n\u6269\u5c55\u653b\u51fb\u8303\u56f4\uff1a\u9488\u5bf9\u975e AD \u7ed1\u5b9a\u7cfb\u7edf\uff0c\u8868\u660e\u653b\u51fb\u8005\u7684\u8d22\u52a1\u52a8\u673a\u3002", "modified": "2025-03-19T11:05:48.444000", "created": "2025-02-18T03:36:39.207000", "tags": [ "credential theft", "ghostweaver", "boinc", "cryptocurrency", "web injection", "juniper stealer", "socgholish", "powershell", "fakeupdates", "mintsloader", "backdoor", "netsupport rat" ], "references": [ "https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983" ], "public": 1, "adversary": "UNC4108", "targeted_countries": [], "malware_families": [ { "id": "SocGholish - S1124", "display_name": "SocGholish - S1124", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "BOINC", "display_name": "BOINC", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Juniper Stealer", "display_name": "Juniper Stealer", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "67b31942143b95827551dee8", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 3, "FileHash-SHA256": 1, "URL": 5, "domain": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67924605088eafe31e1136f8", "name": "CERT - Orange Cyber MintsLoader IOCs", "description": "", "modified": "2025-01-23T13:37:09.594000", "created": "2025-01-23T13:37:09.594000", "tags": [ "iocs", "mintsloader", "managed threat", "detection", "afaf09", "char", "alexis bonnefoi", "windows", "trojan", "powershell", "az09", "bronx", "yara", "team", "april", "august" ], "references": [ "https://raw.githubusercontent.com/cert-orangecyberdefense/mintsloader/refs/heads/main/iocs", "https://raw.githubusercontent.com/cert-orangecyberdefense/mintsloader/refs/heads/main/yara_rules" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 12, "FileHash-SHA256": 200, "domain": 105, "YARA": 3 }, "indicator_count": 333, "is_author": false, "is_subscribing": null, "subscriber_count": 562, "modified_text": "492 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67703f9726ee81bc3afffe2e", "name": "TA582 Domains", "description": "TA582 Domains\nhttps://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/", "modified": "2025-01-16T04:24:12.096000", "created": "2024-12-28T18:12:39.703000", "tags": [], "references": [ "https://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/" ], "public": 1, "adversary": "TA582", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "malasada.tech", "id": "277538", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 143, "hostname": 2 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "500 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://raw.githubusercontent.com/cert-orangecyberdefense/mintsloader/refs/heads/main/iocs", "https://threatfox.abuse.ch/export/csv/recent/", "https://raw.githubusercontent.com/cert-orangecyberdefense/mintsloader/refs/heads/main/yara_rules", "https://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/", "Malware.pdf", "https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983" ], "related": { "alienvault": { "adversary": [ "UNC4108" ], "malware_families": [ "Netsupport rat", "Boinc", "Ghostweaver", "Mintsloader", "Socgholish - s1124", "Fakeupdates", "Juniper stealer" ], "industries": [] }, "other": { "adversary": [ "UNC4108", "TA582" ], "malware_families": [ "Netsupport rat", "Boinc", "Ghostweaver", "Mintsloader", "Socgholish - s1124", "Fakeupdates", "Juniper stealer" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "67b31942143b95827551dee8", "name": "Don't Ghost the SocGholish: GhostWeaver Backdoor", "description": "The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal sensitive information, including browser credentials, cryptocurrency wallet data, and Outlook contents. The malware utilizes advanced techniques such as process injection, JA3 fingerprint manipulation, and web injection to evade detection and intercept user data. The attackers primarily target non-AD-joined machines, suggesting a focus on smaller organizations or individual users with weaker security measures.", "modified": "2025-03-19T11:05:48.444000", "created": "2025-02-17T11:10:58.724000", "tags": [ "credential theft", "ghostweaver", "boinc", "cryptocurrency", "web injection", "juniper stealer", "socgholish", "powershell", "fakeupdates", "mintsloader", "backdoor", "netsupport rat" ], "references": [ "https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983" ], "public": 1, "adversary": "UNC4108", "targeted_countries": [], "malware_families": [ { "id": "SocGholish - S1124", "display_name": "SocGholish - S1124", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "BOINC", "display_name": "BOINC", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Juniper Stealer", "display_name": "Juniper Stealer", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 3, "FileHash-SHA256": 1, "URL": 4, "domain": 3 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386482, "modified_text": "437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689481dbbbd16703c99f5f10", "name": "Collection of Malware (MintsLoader & SocGholish)", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:37:15.375000", "tags": [], "references": [ "Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 211, "URL": 115, "domain": 104, "hostname": 37 }, "indicator_count": 619, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b400473e34e8cfea87c7d2", "name": "TTP - Don't Ghost the SocGholish: GhostWeaver Backdoor", "description": "\u672c\u6587\u7531 TRAC Labs \u64b0\u5199\uff0c\u6df1\u5165\u5206\u6790\u4e86 SocGholish\uff08\u53c8\u79f0 FakeUpdates\uff09\u6076\u610f\u8f6f\u4ef6\u7684\u5b8c\u6574\u611f\u67d3\u94fe\uff0c\u5e76\u63d0\u4f9b\u68c0\u6d4b\u89c4\u5219\u53ca\u5165\u4fb5\u6307\u6807\uff08IoCs\uff09\u3002\u653b\u51fb\u8005\u5229\u7528\u53d7\u611f\u67d3\u7f51\u7ad9\u6295\u653e\u4f2a\u9020\u6d4f\u89c8\u5668\u66f4\u65b0\uff0c\u8bf1\u5bfc\u7528\u6237\u4e0b\u8f7d\u6076\u610f JavaScript\uff08JS\uff09\u6587\u4ef6\uff0c\u4ece\u800c\u89e6\u53d1\u4e00\u7cfb\u5217\u653b\u51fb\u6d41\u7a0b\uff0c\u5305\u62ec\uff1a\n\nMintsLoader \u90e8\u7f72\uff1a\u4e0b\u8f7d\u5e76\u6267\u884c\u6df7\u6dc6\u7684 JavaScript \u52a0\u8f7d\u5668\u3002\nGhostWeaver \u540e\u95e8\u690d\u5165\uff1a\u4f7f\u7528 PowerShell \u8fd0\u884c\u540e\u95e8\uff0c\u5efa\u7acb C2 \u901a\u4fe1\u3002\n\u63d2\u4ef6\u6267\u884c\u4e0e\u6570\u636e\u7a83\u53d6\uff1a\u52a0\u8f7d\u591a\u4e2a\u63d2\u4ef6\uff0c\u7a83\u53d6\u51ed\u636e\u3001\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u53ca\u7f51\u9875\u6570\u636e\u3002\n\u6301\u4e45\u5316\u4e0e\u53cd\u68c0\u6d4b\u673a\u5236\uff1a\u52a8\u6001 DGA \u57df\u540d\u751f\u6210\u3001\u7ed5\u8fc7\u8bc1\u4e66\u9a8c\u8bc1\u3001JA3 \u6307\u7eb9\u89c4\u907f\u7b49\u6280\u672f\u3002\n\u6269\u5c55\u653b\u51fb\u8303\u56f4\uff1a\u9488\u5bf9\u975e AD \u7ed1\u5b9a\u7cfb\u7edf\uff0c\u8868\u660e\u653b\u51fb\u8005\u7684\u8d22\u52a1\u52a8\u673a\u3002", "modified": "2025-03-19T11:05:48.444000", "created": "2025-02-18T03:36:39.207000", "tags": [ "credential theft", "ghostweaver", "boinc", "cryptocurrency", "web injection", "juniper stealer", "socgholish", "powershell", "fakeupdates", "mintsloader", "backdoor", "netsupport rat" ], "references": [ "https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983" ], "public": 1, "adversary": "UNC4108", "targeted_countries": [], "malware_families": [ { "id": "SocGholish - S1124", "display_name": "SocGholish - S1124", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "BOINC", "display_name": "BOINC", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Juniper Stealer", "display_name": "Juniper Stealer", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "67b31942143b95827551dee8", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 3, "FileHash-SHA256": 1, "URL": 5, "domain": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67924605088eafe31e1136f8", "name": "CERT - Orange Cyber MintsLoader IOCs", "description": "", "modified": "2025-01-23T13:37:09.594000", "created": "2025-01-23T13:37:09.594000", "tags": [ "iocs", "mintsloader", "managed threat", "detection", "afaf09", "char", "alexis bonnefoi", "windows", "trojan", "powershell", "az09", "bronx", "yara", "team", "april", "august" ], "references": [ "https://raw.githubusercontent.com/cert-orangecyberdefense/mintsloader/refs/heads/main/iocs", "https://raw.githubusercontent.com/cert-orangecyberdefense/mintsloader/refs/heads/main/yara_rules" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 12, "FileHash-SHA256": 200, "domain": 105, "YARA": 3 }, "indicator_count": 333, "is_author": false, "is_subscribing": null, "subscriber_count": 562, "modified_text": "492 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67703f9726ee81bc3afffe2e", "name": "TA582 Domains", "description": "TA582 Domains\nhttps://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/", "modified": "2025-01-16T04:24:12.096000", "created": "2024-12-28T18:12:39.703000", "tags": [], "references": [ "https://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/" ], "public": 1, "adversary": "TA582", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "malasada.tech", "id": "277538", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 143, "hostname": 2 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "500 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "web3-authframe.top", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "web3-authframe.top", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780204414.7165484 }