{ "type": "Domain", "indicator": "webex-install.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/webex-install.com", "alexa": "http://www.alexa.com/siteinfo/webex-install.com", "indicator": "webex-install.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3882145559, "indicator": "webex-install.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "684c90509889eb77ff43d758", "name": "New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-13T20:55:44.654000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 386956, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668fc73a5d94ad96c0882bb8", "name": "FIN7: Silent Push unearths 4000+ phishing and shell domains", "description": "Silent Push threat analysts have uncovered an extensive series of campaigns linked to the FIN7 cybercrime group, including several hundred active phishing, spoofing, shell and malware delivery domains and IPs targeting various organizations. The campaigns utilize over 4000 domains and subdomains, with nearly half active in the past week. Prominent global brands like Louvre Museum, Meta, Reuters, Microsoft, and others have been targeted. The group employs tactics like spearphishing, malware distribution, and renting infrastructure from bulletproof hosting providers.", "modified": "2024-08-10T11:01:44.011000", "created": "2024-07-11T11:51:22.823000", "tags": [ "eugenloader", "spoofing", "gracewire", "phishing", "carbanak", "anunak", "" ], "references": [ "https://www.silentpush.com/blog/fin7/" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [ { "id": "Carbanak - S0030", "display_name": "Carbanak - S0030", "target": null }, { "id": "Anunak", "display_name": "Anunak", "target": null }, { "id": "Gracewire", "display_name": "Gracewire", "target": null }, { "id": "EugenLoader", "display_name": "EugenLoader", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Retail", "Hospitality", "Technology", "Consulting", "Finance", "Healthcare", "Media", "Transportation", "Utilities" ], "TLP": "white", "cloned_from": null, "export_count": 320, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 17, "URL": 5, "domain": 62, "hostname": 6 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 386956, "modified_text": "661 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684fc08ec1f449ae3711bff0", "name": "From Ideology to Financial Gain: Exploring the Convergence from Hacktivism to Cybercrime.", "description": "Recent trends in cyber threats reveal a significant shift as hacktivist groups such as FunkSec, KillSec, and GhostSec increasingly engage in financially motivated cybercrime, blending traditional hacktivism with ransomware operations. FunkSec has transitioned from political activism to a ransomware-as-a-service (RaaS) model, claiming at least 172 victims and leveraging generative AI for rapid victim acquisition. KillSec, aligning with the Russian cyber realm, has adopted customizable ransomware solutions and implemented double extortion tactics to enhance its monetization strategies. GhostSec, initially rooted in hacktivism, has forged partnerships with cybercriminals, launching its own RaaS offering, GhostLocker, while also returning to political motivations after securing funding through these illicit activities.", "modified": "2025-07-16T06:01:43.026000", "created": "2025-06-16T06:58:22.198000", "tags": [ "strong", "title", "link", "summary", "threats", "grayalpha", "rst cloud", "powershell", "discord", "katz stealer", "funksec", "killsec", "february", "ghostlocker", "werewolf", "hammer", "shadowpad", "scatterbrain", "asyncrat", "loader", "malware", "muddywater", "skuld", "remote access", "javascript" ], "references": [ "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Skuld", "display_name": "Skuld", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "FileHash-MD5": 249, "FileHash-SHA1": 112, "FileHash-SHA256": 244, "CVE": 1, "domain": 232, "email": 2, "hostname": 67 }, "indicator_count": 943, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684ef8a0dd98ef690862f85a", "name": "GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT.", "description": "Insikt Group has uncovered new infrastructure and malware associated with GrayAlpha, a cyber threat actor with ties to the financially motivated group FIN7. Specifically, three primary infection vectors have been identified: fake browser updates, malicious 7-Zip download pages, and a traffic distribution system (TDS) known as TAG-124, which had not been linked to GrayAlpha previously. The threat actor employs a new PowerShell loader called PowerNet and an obfuscated variant of FakeBat dubbed MaskBat, both of which facilitate the delivery of the NetSupport Remote Access Trojan (RAT)..", "modified": "2025-07-15T16:04:55.152000", "created": "2025-06-15T16:45:20.658000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 8, "domain": 143, "email": 4, "hostname": 1 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "322 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6853d0f0f31f3f1ceda90e69", "name": "IOC - New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-19T08:57:20.036000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": "684c90509889eb77ff43d758", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ae825ee4680bf980f21c4e", "name": "FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT", "description": "A group known as FIN7 has been using Google ads to lure users into downloading malware, according to a report published this week by cybersecurity firm eSentire and the Microsoft Security Research Center..", "modified": "2025-03-15T23:04:39.639000", "created": "2025-02-13T23:38:05.365000", "tags": [ "path", "span", "button", "link", "script", "template", "github", "form", "footer", "overlay", "code", "meta", "asyncrat", "reload", "diceloader", "find", "close", "amos", "stealer", "autoit", "darkvnc", "ducktail", "lumma stealer", "icedid", "lazarus", "mintsloader", "pikabot", "venomrat", "webdav", "solarmarker", "stealc", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact", "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "fin7", "netsupport rat", "google", "msix", "blackrock", "asana", "wall street", "journal", "google meet", "powertrash", "anydesk", "winscp", "carbanak", "powerplant", "termite", "gracewire", "april", "fakeupdates", "rats", "twitter", "netsupport" ], "references": [ "https://github.com/esThreatIntelligence/iocs/blob/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [ { "id": "POWERTRASH", "display_name": "POWERTRASH", "target": null }, { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 14, "domain": 45, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "443 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669e18bc3f9085063790518d", "name": "Web Sites Used by FIN7 Mimic Popular Brands", "description": "In a series of letters from around the world, we take a look at the best of the latest technology-based news.. and report the top 10 of 2016.-17. the.", "modified": "2024-08-21T08:01:05.957000", "created": "2024-07-22T08:30:52.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 58, "hostname": 6 }, "indicator_count": 68, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "650 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669113e7fa7f312d7c20b425", "name": "FIN7: Silent Push unearths 4000+ phishing and shell domains", "description": "A year after the US Department of Justice (DOJ) claimed victory over a major cyber-attack group known as FIN7, Silent Push has uncovered a new wave of attacks targeting global brands.", "modified": "2024-08-11T11:05:01.714000", "created": "2024-07-12T11:30:46.873000", "tags": [ "fin7", "stark", "fin7 malware", "meta", "microsoft", "silent push", "reuters", "fin7 ttps", "louvre museum", "webex", "python", "push", "impact", "ransomware", "sharepoint", "twitter", "anydesk", "april", "fraud", "impacket", "combi", "cyber", "june", "union", "paris", "exodus", "phantom", "ukraine", "requires", "carbanak", "download", "enterprise", "click", "back", "netsupport", "rms" ], "references": [ "https://www.silentpush.com/blog/fin7/" ], "public": 1, "adversary": "FIN7", "targeted_countries": [ "United States of America", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null } ], "attack_ids": [], "industries": [ "Bank" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "URL": 8, "domain": 63, "hostname": 6 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "660 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664ef754aed8040246df6b17", "name": "FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads", "description": "", "modified": "2024-06-19T00:02:58.897000", "created": "2024-05-23T07:59:16.500000", "tags": [ "FIN7", "C2s", "diceloader c2" ], "references": [ "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "664af48a9759d9c47027ae76", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 5, "domain": 24, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "713 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664af48a9759d9c47027ae76", "name": "FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads", "description": "In April 2024, eSentire\u2019s Threat Response Unit (TRU) observed multiple incidents involving FIN7, a financially motivated threat group based in Russia that has been active since 2013. The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.", "modified": "2024-06-19T00:02:58.897000", "created": "2024-05-20T06:58:18.216000", "tags": [ "FIN7", "C2s", "diceloader c2" ], "references": [ "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 5, "domain": 24, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "713 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664308c684d8735f866694b3", "name": "FIN7 Group Uses Malicious Google Ads for NetSupport RAT Delivery", "description": "", "modified": "2024-06-13T06:02:39.333000", "created": "2024-05-14T06:46:30.502000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47, "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "URL": 12, "hostname": 3 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "719 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664240ec762f0effd3cd2001", "name": "FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads", "description": "In April 2024, eSentire\u2019s Threat Response Unit (TRU) observed multiple incidents involving FIN7, a financially motivated threat group based in Russia that has been active since 2013. The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.", "modified": "2024-06-12T16:01:44.583000", "created": "2024-05-13T16:33:48.823000", "tags": [ "fin7 c2s", "diceloader c2", "diceloader" ], "references": [ "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 48, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "hostname": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641e1a2d4749d038f20e74f", "name": "FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT", "description": "The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT.\n\n\"The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet,\" cybersecurity firm eSentire said in a report published earlier this week.", "modified": "2024-06-12T09:05:01.533000", "created": "2024-05-13T09:47:14.971000", "tags": [ "figure", "netsupport rat", "fin7", "threat response", "unit", "diceloader", "msix", "msix file", "c2 server", "python payload", "cyber", "april", "anydesk", "winscp", "blackrock", "updater", "schtasks", "phishing", "python", "netsupport", "diceloader c2" ], "references": [ "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "MSIX", "display_name": "MSIX", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Construction", "Finance", "Legal", "Manufacturing", "Healthcare", "Retail", "Food", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 304, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "hostname": 1 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641ae33d2b5b0a2fcc9ebae", "name": "eSentire | FIN7 Uses Trusted Brands and Sponsored Google Ads to\u2026", "description": "Palo Alto\u2019s Managed Detection and Response (MDR) is a 24-hour-a-service provider for Microsoft, Cisco, Microsoft and other major technology companies, with a wide range of services.", "modified": "2024-06-12T06:01:34.035000", "created": "2024-05-13T06:07:47.725000", "tags": [ "figure", "netsupport rat", "fin7", "threat response", "unit", "diceloader", "msix", "msix file", "c2 server", "python payload", "cyber", "april", "anydesk", "winscp", "blackrock", "updater", "schtasks", "phishing", "fin7 c2s", "diceloader c2", "python", "netsupport" ], "references": [ "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "MSIX", "display_name": "MSIX", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Construction", "Finance", "Legal", "Manufacturing", "Healthcare", "Retail", "Food", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 44, "hostname": 1 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641ae1448d96e0d9e91786d", "name": "eSentire | FIN7 Uses Trusted Brands and Sponsored Google Ads to\u2026", "description": "Palo Alto\u2019s Managed Detection and Response (MDR) is a 24-hour-a-service provider for Microsoft, Cisco, Microsoft and other major technology companies, with a wide range of services.", "modified": "2024-06-12T06:01:34.035000", "created": "2024-05-13T06:07:16.405000", "tags": [ "figure", "netsupport rat", "fin7", "threat response", "unit", "diceloader", "msix", "msix file", "c2 server", "python payload", "cyber", "april", "anydesk", "winscp", "blackrock", "updater", "schtasks", "phishing", "fin7 c2s", "diceloader c2", "python", "netsupport" ], "references": [ "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "MSIX", "display_name": "MSIX", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Construction", "Finance", "Legal", "Manufacturing", "Healthcare", "Retail", "Food", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 44, "hostname": 1 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66317b2def1d16b06c19c827", "name": "Twitter Feed - 500mk500 - 30-04-2024", "description": "", "modified": "2024-04-30T23:13:49.696000", "created": "2024-04-30T23:13:49.696000", "tags": [], "references": [ "https://twitter.com/500mk500/status/1785404303051542583", "https://twitter.com/500mk500/status/1785412421500207554" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "URL": 8, "hostname": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "762 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2", "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://twitter.com/500mk500/status/1785412421500207554", "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://github.com/esThreatIntelligence/iocs/blob/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf", "https://twitter.com/500mk500/status/1785404303051542583", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html", "https://www.silentpush.com/blog/fin7/", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "related": { "alienvault": { "adversary": [ "FIN7", "GrayAlpha" ], "malware_families": [ "Carbanak - s0030", "Maskbat", "Eugenloader", "Netsupport rat", "Powernet", "Anunak", "Gracewire" ], "industries": [ "Finance", "Utilities", "Transportation", "Retail", "Consulting", "Media", "Hospitality", "Technology", "Healthcare" ] }, "other": { "adversary": [ "FIN7", "GrayAlpha" ], "malware_families": [ "Skuld", "Javascript", "Fin7", "Blackrock", "Maskbat", "Netsupport", "Netsupport rat", "Powernet", "Remote access", "Powertrash", "Rms", "Msix", "Python", "Shadowpad" ], "industries": [ "Finance", "Bank", "Education", "Retail", "Legal", "Financial", "Construction", "Manufacturing", "Government", "Hospitality", "Food", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "684c90509889eb77ff43d758", "name": "New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-13T20:55:44.654000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 386956, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668fc73a5d94ad96c0882bb8", "name": "FIN7: Silent Push unearths 4000+ phishing and shell domains", "description": "Silent Push threat analysts have uncovered an extensive series of campaigns linked to the FIN7 cybercrime group, including several hundred active phishing, spoofing, shell and malware delivery domains and IPs targeting various organizations. The campaigns utilize over 4000 domains and subdomains, with nearly half active in the past week. Prominent global brands like Louvre Museum, Meta, Reuters, Microsoft, and others have been targeted. The group employs tactics like spearphishing, malware distribution, and renting infrastructure from bulletproof hosting providers.", "modified": "2024-08-10T11:01:44.011000", "created": "2024-07-11T11:51:22.823000", "tags": [ "eugenloader", "spoofing", "gracewire", "phishing", "carbanak", "anunak", "" ], "references": [ "https://www.silentpush.com/blog/fin7/" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [ { "id": "Carbanak - S0030", "display_name": "Carbanak - S0030", "target": null }, { "id": "Anunak", "display_name": "Anunak", "target": null }, { "id": "Gracewire", "display_name": "Gracewire", "target": null }, { "id": "EugenLoader", "display_name": "EugenLoader", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Retail", "Hospitality", "Technology", "Consulting", "Finance", "Healthcare", "Media", "Transportation", "Utilities" ], "TLP": "white", "cloned_from": null, "export_count": 320, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 17, "URL": 5, "domain": 62, "hostname": 6 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 386956, "modified_text": "661 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684fc08ec1f449ae3711bff0", "name": "From Ideology to Financial Gain: Exploring the Convergence from Hacktivism to Cybercrime.", "description": "Recent trends in cyber threats reveal a significant shift as hacktivist groups such as FunkSec, KillSec, and GhostSec increasingly engage in financially motivated cybercrime, blending traditional hacktivism with ransomware operations. FunkSec has transitioned from political activism to a ransomware-as-a-service (RaaS) model, claiming at least 172 victims and leveraging generative AI for rapid victim acquisition. KillSec, aligning with the Russian cyber realm, has adopted customizable ransomware solutions and implemented double extortion tactics to enhance its monetization strategies. GhostSec, initially rooted in hacktivism, has forged partnerships with cybercriminals, launching its own RaaS offering, GhostLocker, while also returning to political motivations after securing funding through these illicit activities.", "modified": "2025-07-16T06:01:43.026000", "created": "2025-06-16T06:58:22.198000", "tags": [ "strong", "title", "link", "summary", "threats", "grayalpha", "rst cloud", "powershell", "discord", "katz stealer", "funksec", "killsec", "february", "ghostlocker", "werewolf", "hammer", "shadowpad", "scatterbrain", "asyncrat", "loader", "malware", "muddywater", "skuld", "remote access", "javascript" ], "references": [ "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Skuld", "display_name": "Skuld", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "FileHash-MD5": 249, "FileHash-SHA1": 112, "FileHash-SHA256": 244, "CVE": 1, "domain": 232, "email": 2, "hostname": 67 }, "indicator_count": 943, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684ef8a0dd98ef690862f85a", "name": "GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT.", "description": "Insikt Group has uncovered new infrastructure and malware associated with GrayAlpha, a cyber threat actor with ties to the financially motivated group FIN7. Specifically, three primary infection vectors have been identified: fake browser updates, malicious 7-Zip download pages, and a traffic distribution system (TDS) known as TAG-124, which had not been linked to GrayAlpha previously. The threat actor employs a new PowerShell loader called PowerNet and an obfuscated variant of FakeBat dubbed MaskBat, both of which facilitate the delivery of the NetSupport Remote Access Trojan (RAT)..", "modified": "2025-07-15T16:04:55.152000", "created": "2025-06-15T16:45:20.658000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 8, "domain": 143, "email": 4, "hostname": 1 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "322 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6853d0f0f31f3f1ceda90e69", "name": "IOC - New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-19T08:57:20.036000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": "684c90509889eb77ff43d758", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ae825ee4680bf980f21c4e", "name": "FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT", "description": "A group known as FIN7 has been using Google ads to lure users into downloading malware, according to a report published this week by cybersecurity firm eSentire and the Microsoft Security Research Center..", "modified": "2025-03-15T23:04:39.639000", "created": "2025-02-13T23:38:05.365000", "tags": [ "path", "span", "button", "link", "script", "template", "github", "form", "footer", "overlay", "code", "meta", "asyncrat", "reload", "diceloader", "find", "close", "amos", "stealer", "autoit", "darkvnc", "ducktail", "lumma stealer", "icedid", "lazarus", "mintsloader", "pikabot", "venomrat", "webdav", "solarmarker", "stealc", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact", "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "fin7", "netsupport rat", "google", "msix", "blackrock", "asana", "wall street", "journal", "google meet", "powertrash", "anydesk", "winscp", "carbanak", "powerplant", "termite", "gracewire", "april", "fakeupdates", "rats", "twitter", "netsupport" ], "references": [ "https://github.com/esThreatIntelligence/iocs/blob/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [ { "id": "POWERTRASH", "display_name": "POWERTRASH", "target": null }, { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 14, "domain": 45, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "443 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "webex-install.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "webex-install.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780431894.8520594 }