{ "type": "Domain", "indicator": "win7py.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/win7py.org", "alexa": "http://www.alexa.com/siteinfo/win7py.org", "indicator": "win7py.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4029486897, "indicator": "win7py.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691ebb98b4b2b8d00a5096ad", "name": "IOC - PlushDaemon compromises network devices for adversary-in-the-middle attacks", "description": "ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-20T06:56:24.887000", "tags": [ "slowstepper c", "c server", "filename eset", "slowstepper", "description", "python", "server", "ipany software", "installer dll", "dll tool" ], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SlowStepper", "display_name": "SlowStepper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 5, "FileHash-SHA1": 19, "FileHash-SHA256": 5, "domain": 4, "hostname": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6936548fa81a14eb0a64aa46", "name": "PlushDaemon compromises network devices for adversary-in-the-middle attacks", "description": "", "modified": "2025-12-20T06:00:23.758000", "created": "2025-12-08T04:31:11.779000", "tags": [ "slowstepper c", "c server", "filename eset", "slowstepper", "description", "python", "server", "ipany software", "installer dll", "dll tool" ], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SlowStepper", "display_name": "SlowStepper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "691ebb98b4b2b8d00a5096ad", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 5, "FileHash-SHA1": 19, "FileHash-SHA256": 5, "domain": 4, "hostname": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6790faaf7ed4a83421bb9aff", "name": "PlushDaemon compromises supply chain of Korean VPN service", "description": "A new China-aligned cyber-espionage group has compromised the supply chain of legitimate VPN software developed by a South Korean company, according to ESET researchers in a blogpost published on 22 January 2025.", "modified": "2025-02-21T14:01:56.077000", "created": "2025-01-22T14:03:27.578000", "tags": [], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 3, "domain": 6, "hostname": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "463 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6790fab03fa32288e9592a64", "name": "PlushDaemon compromises supply chain of Korean VPN service", "description": "A new China-aligned cyber-espionage group has compromised the supply chain of legitimate VPN software developed by a South Korean company, according to ESET researchers in a blogpost published on 22 January 2025.", "modified": "2025-02-21T14:01:56.077000", "created": "2025-01-22T14:03:28.101000", "tags": [], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 3, "domain": 6, "hostname": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "463 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/", "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/", "Book1.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex" ], "malware_families": [ "Slowstepper" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691ebb98b4b2b8d00a5096ad", "name": "IOC - PlushDaemon compromises network devices for adversary-in-the-middle attacks", "description": "ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-20T06:56:24.887000", "tags": [ "slowstepper c", "c server", "filename eset", "slowstepper", "description", "python", "server", "ipany software", "installer dll", "dll tool" ], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SlowStepper", "display_name": "SlowStepper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 5, "FileHash-SHA1": 19, "FileHash-SHA256": 5, "domain": 4, "hostname": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6936548fa81a14eb0a64aa46", "name": "PlushDaemon compromises network devices for adversary-in-the-middle attacks", "description": "", "modified": "2025-12-20T06:00:23.758000", "created": "2025-12-08T04:31:11.779000", "tags": [ "slowstepper c", "c server", "filename eset", "slowstepper", "description", "python", "server", "ipany software", "installer dll", "dll tool" ], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SlowStepper", "display_name": "SlowStepper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "691ebb98b4b2b8d00a5096ad", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 5, "FileHash-SHA1": 19, "FileHash-SHA256": 5, "domain": 4, "hostname": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6790faaf7ed4a83421bb9aff", "name": "PlushDaemon compromises supply chain of Korean VPN service", "description": "A new China-aligned cyber-espionage group has compromised the supply chain of legitimate VPN software developed by a South Korean company, according to ESET researchers in a blogpost published on 22 January 2025.", "modified": "2025-02-21T14:01:56.077000", "created": "2025-01-22T14:03:27.578000", "tags": [], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 3, "domain": 6, "hostname": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "463 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6790fab03fa32288e9592a64", "name": "PlushDaemon compromises supply chain of Korean VPN service", "description": "A new China-aligned cyber-espionage group has compromised the supply chain of legitimate VPN software developed by a South Korean company, according to ESET researchers in a blogpost published on 22 January 2025.", "modified": "2025-02-21T14:01:56.077000", "created": "2025-01-22T14:03:28.101000", "tags": [], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 3, "domain": 6, "hostname": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "463 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "win7py.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "win7py.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780210706.2154207 }