{ "type": "Domain", "indicator": "wikileaksv2.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/wikileaksv2.com", "alexa": "http://www.alexa.com/siteinfo/wikileaksv2.com", "indicator": "wikileaksv2.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4138561681, "indicator": "wikileaksv2.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68e69076a95f1726dd5d19eb", "name": "The Evolution of Qilin RaaS", "description": "Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of stolen data, and ransom negotiations.", "modified": "2025-11-07T16:03:44.589000", "created": "2025-10-08T16:25:25.785000", "tags": [ "qilin", "raas", "fin12", "alphvblackcat", "kela", "bitcoin", "nova", "ryuk", "ransomware", "agenda", "tor", "onion", "wikileaks", "phishing", "supply chain attack" ], "references": [ "https://www.sans.org/blog/evolution-qilin-raas" ], "public": 1, "adversary": "Qilin", "targeted_countries": [], "malware_families": [ { "id": "Agenda", "display_name": "Agenda", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386591, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69243b315cc7e9bc113a7158", "name": "LevelBlue - Open Threat Exchange", "description": "Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of stolen data, and ransom negotiations.", "modified": "2025-12-24T11:03:45.754000", "created": "2025-11-24T11:02:07.121000", "tags": [ "levelblue", "open threat", "indicator", "description" ], "references": [ "68e69076a95f1726dd5d19eb.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "modyseck7", "id": "145598", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69224ca2eaff8d346c6b5eb2", "name": "Qilin Ransomware IOC", "description": "", "modified": "2025-12-22T23:01:24.822000", "created": "2025-11-22T23:52:00.862000", "tags": [ "Ransomare" ], "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2025/06/18/qilin-ransomware-explained-threats-risks-defenses" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null } ], "attack_ids": [ { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1547.004", "name": "Winlogon Helper DLL", "display_name": "T1547.004 - Winlogon Helper DLL" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sanalystobi", "id": "364997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 9, "FileHash-MD5": 95, "FileHash-SHA1": 71, "FileHash-SHA256": 71 }, "indicator_count": 251, "is_author": false, "is_subscribing": null, "subscriber_count": 6, "modified_text": "160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "68e69076a95f1726dd5d19eb.csv", "IOCs_Oct week-1.pdf", "https://www.sans.org/blog/evolution-qilin-raas", "https://blog.qualys.com/vulnerabilities-threat-research/2025/06/18/qilin-ransomware-explained-threats-risks-defenses" ], "related": { "alienvault": { "adversary": [ "Qilin" ], "malware_families": [ "Qilin", "Agenda" ], "industries": [] }, "other": { "adversary": [ "Multiple APT/Malware" ], "malware_families": [ "Qilin" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68e69076a95f1726dd5d19eb", "name": "The Evolution of Qilin RaaS", "description": "Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of stolen data, and ransom negotiations.", "modified": "2025-11-07T16:03:44.589000", "created": "2025-10-08T16:25:25.785000", "tags": [ "qilin", "raas", "fin12", "alphvblackcat", "kela", "bitcoin", "nova", "ryuk", "ransomware", "agenda", "tor", "onion", "wikileaks", "phishing", "supply chain attack" ], "references": [ "https://www.sans.org/blog/evolution-qilin-raas" ], "public": 1, "adversary": "Qilin", "targeted_countries": [], "malware_families": [ { "id": "Agenda", "display_name": "Agenda", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386591, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69243b315cc7e9bc113a7158", "name": "LevelBlue - Open Threat Exchange", "description": "Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of stolen data, and ransom negotiations.", "modified": "2025-12-24T11:03:45.754000", "created": "2025-11-24T11:02:07.121000", "tags": [ "levelblue", "open threat", "indicator", "description" ], "references": [ "68e69076a95f1726dd5d19eb.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "modyseck7", "id": "145598", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69224ca2eaff8d346c6b5eb2", "name": "Qilin Ransomware IOC", "description": "", "modified": "2025-12-22T23:01:24.822000", "created": "2025-11-22T23:52:00.862000", "tags": [ "Ransomare" ], "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2025/06/18/qilin-ransomware-explained-threats-risks-defenses" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null } ], "attack_ids": [ { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1547.004", "name": "Winlogon Helper DLL", "display_name": "T1547.004 - Winlogon Helper DLL" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sanalystobi", "id": "364997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 9, "FileHash-MD5": 95, "FileHash-SHA1": 71, "FileHash-SHA256": 71 }, "indicator_count": 251, "is_author": false, "is_subscribing": null, "subscriber_count": 6, "modified_text": "160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "wikileaksv2.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "wikileaksv2.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780272305.2306497 }