{ "type": "Domain", "indicator": "windlebrogues.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/windlebrogues.com", "alexa": "http://www.alexa.com/siteinfo/windlebrogues.com", "indicator": "windlebrogues.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4075463442, "indicator": "windlebrogues.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6849315dfd6a8c8feb63dccf", "name": "HelloTDS: The Infrastructure Behind FakeCaptcha", "description": "The analysis of the HelloTDS infrastructure reveals a complex Traffic Direction System (TDS) that facilitates various malware campaigns, including FakeCaptcha, by exploiting vulnerable websites and malvertising techniques. HelloTDS operates through a robust network that utilizes geolocation, IP address, and browser fingerprinting to determine the nature of content delivered to users. It particularly targets users through compromised streaming sites and file-sharing services that have been manipulated to load malicious scripts. The effectiveness of these campaigns lies in their ability to mimic legitimate software platforms, enhancing their stealth and complicating detection efforts.", "modified": "2025-07-11T07:03:21.588000", "created": "2025-06-11T07:33:49.632000", "tags": [ "fakecaptcha", "key takeaways", "norton", "avast", "avira", "urls", "compromise", "iocs", "hellotds", "hellotds json", "hellotds script", "apateweb", "blogspot site" ], "references": [ "https://www.gendigital.com/blog/insights/research/inside-hellotds-malware-network", "https://github.com/avast/ioc/tree/master/HelloTDS" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "India", "Rwanda", "Egypt", "Tanzania, United Republic of", "Kenya" ], "malware_families": [], "attack_ids": [ { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 14, "URL": 95, "domain": 229, "hostname": 490, "FileHash-SHA256": 23, "FileHash-MD5": 23, "FileHash-SHA1": 23 }, "indicator_count": 897, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.gendigital.com/blog/insights/research/inside-hellotds-malware-network", "https://github.com/avast/ioc/tree/master/HelloTDS" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6849315dfd6a8c8feb63dccf", "name": "HelloTDS: The Infrastructure Behind FakeCaptcha", "description": "The analysis of the HelloTDS infrastructure reveals a complex Traffic Direction System (TDS) that facilitates various malware campaigns, including FakeCaptcha, by exploiting vulnerable websites and malvertising techniques. HelloTDS operates through a robust network that utilizes geolocation, IP address, and browser fingerprinting to determine the nature of content delivered to users. It particularly targets users through compromised streaming sites and file-sharing services that have been manipulated to load malicious scripts. The effectiveness of these campaigns lies in their ability to mimic legitimate software platforms, enhancing their stealth and complicating detection efforts.", "modified": "2025-07-11T07:03:21.588000", "created": "2025-06-11T07:33:49.632000", "tags": [ "fakecaptcha", "key takeaways", "norton", "avast", "avira", "urls", "compromise", "iocs", "hellotds", "hellotds json", "hellotds script", "apateweb", "blogspot site" ], "references": [ "https://www.gendigital.com/blog/insights/research/inside-hellotds-malware-network", "https://github.com/avast/ioc/tree/master/HelloTDS" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "India", "Rwanda", "Egypt", "Tanzania, United Republic of", "Kenya" ], "malware_families": [], "attack_ids": [ { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 14, "URL": 95, "domain": 229, "hostname": 490, "FileHash-SHA256": 23, "FileHash-MD5": 23, "FileHash-SHA1": 23 }, "indicator_count": 897, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "windlebrogues.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "windlebrogues.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780531098.6502502 }