{ "type": "Domain", "indicator": "weworkhappy.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/weworkhappy.com", "alexa": "http://www.alexa.com/siteinfo/weworkhappy.com", "indicator": "weworkhappy.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3901741130, "indicator": "weworkhappy.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "66e9ddb687d7b95a199e3098", "name": "Marko Polo Navigates Uncharted Waters with Infostealer Empire", "description": "An analysis has uncovered a highly adaptable cybercriminal group, codenamed 'Marko Polo', that operates sophisticated scams employing information-stealing malware to target individuals and organizations globally. They primarily operate through social media, impersonating legitimate brands in sectors like online gaming, virtual meetings, productivity software, and cryptocurrency. Their extensive operation involves over 30 distinct scams, 50 malware payloads, numerous malicious domains, and hundreds of fraudulent social media accounts. This widespread campaign likely compromised tens of thousands of devices globally, exposing sensitive personal and corporate data, posing risks to consumer privacy and business continuity while generating substantial illicit revenue.", "modified": "2024-11-06T13:21:58.445000", "created": "2024-09-17T19:51:18.918000", "tags": [ "cybercriminal", "social_engineering", "infostealers", "scams", "impersonation", "Marko Polo" ], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2024-0917.pdf" ], "public": 1, "adversary": "Marko Polo", "targeted_countries": [], "malware_families": [ { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "HijackLoader", "display_name": "HijackLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 37, "domain": 86 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 386454, "modified_text": "570 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66741fdb1af81fa3ecb09bf9", "name": "Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications", "description": "While monitoring data in Recorded Future Malware Intelligence, Insikt Group identified purported virtual\nmeeting software called Vortax that, upon download and installation, delivers three information stealers\n(\u201cinfostealers\u201d) in cross-platform attacks \u2014 Rhadamanthys, Stealc, and, most notably, Atomic macOS\nStealer (AMOS) \u2014 in an extensive campaign aimed at cryptocurrency theft.", "modified": "2024-07-20T12:00:12.902000", "created": "2024-06-20T12:26:03.258000", "tags": [ "c2", "MacOS" ], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2024-0617.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Atomic macOS", "display_name": "Atomic macOS", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 355, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 23, "domain": 33 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 386453, "modified_text": "679 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ba2ccd46fb476600ba55b3", "name": "The Travels of \u201cmarkopolo\u201d: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications | Recorded Future", "description": "Recorded Future's Insikt Group has identified a widespread cyberattack campaign involving Vortax, a purported virtual meeting software, which spreads infostealers to steal information on users of macOS.", "modified": "2025-03-24T20:00:11.422000", "created": "2025-02-22T20:00:13.082000", "tags": [ "amos", "vortax", "recorded future", "intelligence", "insikt group", "stealc", "atomic macos", "stealer", "future", "markopolo", "insikt", "macos", "research", "travels", "vortax spreads", "infostealers", "network", "malicious macos", "demo", "moskau", "target", "june", "contact" ], "references": [ "https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers", "https://go.recordedfuture.com/hubfs/reports/cta-2024-0617.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of" ], "malware_families": [ { "id": "Recorded Future", "display_name": "Recorded Future", "target": null }, { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Cryptocurrency", "Gaming" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 39, "FileHash-MD5": 35, "FileHash-SHA1": 12, "FileHash-SHA256": 23, "URL": 1, "email": 1, "hostname": 1 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "552 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "552 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "561 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb44c55928675e15bc818d", "name": "Threat Intel Report - W30-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools. \n\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-09-12T11:00:55.410000", "created": "2024-08-13T11:34:29.979000", "tags": [ "mozi", "microsoft", "week", "windows", "panama", "germany", "russia", "lithuania", "romania", "urls http", "agent tesla", "asyncrat", "dcrat", "muddywater", "indonesia", "mexico", "remcos", "stealc", "steam", "lockbit", "february", "qilin" ], "references": [ "https://any.run/malware-trends/", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 70, "hostname": 82, "URL": 211, "FileHash-MD5": 69, "FileHash-SHA1": 68, "FileHash-SHA256": 117, "CVE": 1 }, "indicator_count": 618, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "625 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "666 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "667 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675d6318bbe0c56ee855f18", "name": "Vortax Meeting Software Abused to Attack MacOS Users", "description": "", "modified": "2024-07-21T19:02:13.962000", "created": "2024-06-21T19:36:17.538000", "tags": [ "cyber", "threat", "june", "time", "crypto cyber", "defence", "classification", "confidential" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 23 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2024-0617.pdf", "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt", "https://any.run/malware-trends/", "https://go.recordedfuture.com/hubfs/reports/cta-2024-0917.pdf", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers" ], "related": { "alienvault": { "adversary": [ "Marko Polo" ], "malware_families": [ "", "Rhadamanthys", "Atomic macos", "Hijackloader", "Amos", "Stealc" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Qilin", "Macos", "Recorded future", "Insikt" ], "industries": [ "Gaming", "Cryptocurrency" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "66e9ddb687d7b95a199e3098", "name": "Marko Polo Navigates Uncharted Waters with Infostealer Empire", "description": "An analysis has uncovered a highly adaptable cybercriminal group, codenamed 'Marko Polo', that operates sophisticated scams employing information-stealing malware to target individuals and organizations globally. They primarily operate through social media, impersonating legitimate brands in sectors like online gaming, virtual meetings, productivity software, and cryptocurrency. Their extensive operation involves over 30 distinct scams, 50 malware payloads, numerous malicious domains, and hundreds of fraudulent social media accounts. This widespread campaign likely compromised tens of thousands of devices globally, exposing sensitive personal and corporate data, posing risks to consumer privacy and business continuity while generating substantial illicit revenue.", "modified": "2024-11-06T13:21:58.445000", "created": "2024-09-17T19:51:18.918000", "tags": [ "cybercriminal", "social_engineering", "infostealers", "scams", "impersonation", "Marko Polo" ], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2024-0917.pdf" ], "public": 1, "adversary": "Marko Polo", "targeted_countries": [], "malware_families": [ { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "HijackLoader", "display_name": "HijackLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 37, "domain": 86 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 386454, "modified_text": "570 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66741fdb1af81fa3ecb09bf9", "name": "Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications", "description": "While monitoring data in Recorded Future Malware Intelligence, Insikt Group identified purported virtual\nmeeting software called Vortax that, upon download and installation, delivers three information stealers\n(\u201cinfostealers\u201d) in cross-platform attacks \u2014 Rhadamanthys, Stealc, and, most notably, Atomic macOS\nStealer (AMOS) \u2014 in an extensive campaign aimed at cryptocurrency theft.", "modified": "2024-07-20T12:00:12.902000", "created": "2024-06-20T12:26:03.258000", "tags": [ "c2", "MacOS" ], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2024-0617.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Atomic macOS", "display_name": "Atomic macOS", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 355, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 23, "domain": 33 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 386453, "modified_text": "679 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ba2ccd46fb476600ba55b3", "name": "The Travels of \u201cmarkopolo\u201d: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications | Recorded Future", "description": "Recorded Future's Insikt Group has identified a widespread cyberattack campaign involving Vortax, a purported virtual meeting software, which spreads infostealers to steal information on users of macOS.", "modified": "2025-03-24T20:00:11.422000", "created": "2025-02-22T20:00:13.082000", "tags": [ "amos", "vortax", "recorded future", "intelligence", "insikt group", "stealc", "atomic macos", "stealer", "future", "markopolo", "insikt", "macos", "research", "travels", "vortax spreads", "infostealers", "network", "malicious macos", "demo", "moskau", "target", "june", "contact" ], "references": [ "https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers", "https://go.recordedfuture.com/hubfs/reports/cta-2024-0617.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of" ], "malware_families": [ { "id": "Recorded Future", "display_name": "Recorded Future", "target": null }, { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Cryptocurrency", "Gaming" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 39, "FileHash-MD5": 35, "FileHash-SHA1": 12, "FileHash-SHA256": 23, "URL": 1, "email": 1, "hostname": 1 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "552 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "552 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "561 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb44c55928675e15bc818d", "name": "Threat Intel Report - W30-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools. \n\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-09-12T11:00:55.410000", "created": "2024-08-13T11:34:29.979000", "tags": [ "mozi", "microsoft", "week", "windows", "panama", "germany", "russia", "lithuania", "romania", "urls http", "agent tesla", "asyncrat", "dcrat", "muddywater", "indonesia", "mexico", "remcos", "stealc", "steam", "lockbit", "february", "qilin" ], "references": [ "https://any.run/malware-trends/", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 70, "hostname": 82, "URL": 211, "FileHash-MD5": 69, "FileHash-SHA1": 68, "FileHash-SHA256": 117, "CVE": 1 }, "indicator_count": 618, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "625 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "666 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "667 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "weworkhappy.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "weworkhappy.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780177596.2959874 }