{ "type": "Domain", "indicator": "wiresapplication.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/wiresapplication.com", "alexa": "http://www.alexa.com/siteinfo/wiresapplication.com", "indicator": "wiresapplication.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3975920123, "indicator": "wiresapplication.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "66e98a4297c7a88ba6af3431", "name": "Observes Targeted Attacks Amid FBI Warnings", "description": "The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious coding challenges and techniques to install backdoor malware, steal credentials, and maintain persistence. Analysis of the malware's capabilities, updates, and command-and-control infrastructure is provided.", "modified": "2024-10-17T13:00:37.185000", "created": "2024-09-17T13:55:14.714000", "tags": [ "northkorea", "thiefbucket", "rustdoor", "socialengineering", "infostealer", "malware", "cryptoindustry", "backdoor" ], "references": [ "https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/" ], "public": 1, "adversary": "Democratic People's Republic of Korea (DPRK)", "targeted_countries": [], "malware_families": [ { "id": "Thiefbucket", "display_name": "Thiefbucket", "target": null }, { "id": "Rustdoor", "display_name": "Rustdoor", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1505.002", "name": "Transport Agent", "display_name": "T1505.002 - Transport Agent" }, { "id": "T1547.010", "name": "Port Monitors", "display_name": "T1547.010 - Port Monitors" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "display_name": "T1546.003 - Windows Management Instrumentation Event Subscription" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "URL": 2, "domain": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386728, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6859c8ef916c064a0466ab46", "name": "Host Long and Prosper: Uncovering Crypto Exchange Phishing Infrastructure via Prospero Networks.", "description": "A detailed threat hunting investigation into Prospero Networks (AS 200593) reveals a large-scale cryptocurrency exchange impersonation campaign. The analysis identifies over 200 malicious indicators across multiple ASNs, including fake crypto exchanges using names like \"Yukitale\" and \"cryptavex.\" The research demonstrates advanced hunting techniques using DNS data and header analysis to uncover fresh, unreported infrastructure hosting phishing sites targeting crypto users, banking customers, and streaming services. The campaign spans multiple themes including cryptocurrency, Netflix/streaming, banking, and logistics phishing, with evidence suggesting coordination by Ukrainian threat actors.", "modified": "2025-07-23T21:02:57.552000", "created": "2025-06-23T21:36:47.688000", "tags": [ "validin", "prospero", "ip blocks", "first", "february", "host", "domains", "crypto", "shiping", "logistics", "cluster" ], "references": [ "https://open.substack.com/pub/intelinsights/p/host-long-and-prosper?utm_source=share&utm_medium=android&r=5l6xoe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Prospero", "display_name": "Prospero", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "FileHash-MD5": 1, "domain": 178, "URL": 97, "hostname": 8, "FileHash-SHA256": 1 }, "indicator_count": 287, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "312 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f67abbd79b33250fc28e1c", "name": "Rustdoor Malware", "description": "Rustdoor Malware", "modified": "2024-10-27T09:03:48.667000", "created": "2024-09-27T09:28:27.177000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 89, "modified_text": "582 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e998f85770285b5e00a459", "name": "LinkedIn Cryptocurrency Users Targeted by North Korean Attackers", "description": "", "modified": "2024-10-17T14:02:59.681000", "created": "2024-09-17T14:58:00.374000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "domain": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f108f350873928856d1b48", "name": "Jamf Threat Labs observes targeted attacks amid FBI warnings ", "description": "", "modified": "2024-10-17T13:00:37.185000", "created": "2024-09-23T06:21:39.029000", "tags": [ "northkorea", "thiefbucket", "rustdoor", "socialengineering", "infostealer", "malware", "cryptoindustry", "backdoor" ], "references": [ "https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/" ], "public": 1, "adversary": "Democratic People's Republic of Korea (DPRK)", "targeted_countries": [], "malware_families": [ { "id": "Thiefbucket", "display_name": "Thiefbucket", "target": null }, { "id": "Rustdoor", "display_name": "Rustdoor", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1505.002", "name": "Transport Agent", "display_name": "T1505.002 - Transport Agent" }, { "id": "T1547.010", "name": "Port Monitors", "display_name": "T1547.010 - Port Monitors" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "display_name": "T1546.003 - Windows Management Instrumentation Event Subscription" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "66e98a4297c7a88ba6af3431", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "URL": 2, "domain": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f12b4950a77de1e4e45ce2", "name": "Jamf Threat Labs observes targeted attacks amid FBI warnings", "description": "", "modified": "2024-10-17T13:00:37.185000", "created": "2024-09-23T08:48:09.100000", "tags": [ "northkorea", "thiefbucket", "rustdoor", "socialengineering", "infostealer", "malware", "cryptoindustry", "backdoor" ], "references": [ "https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/" ], "public": 1, "adversary": "Democratic People's Republic of Korea (DPRK)", "targeted_countries": [], "malware_families": [ { "id": "Thiefbucket", "display_name": "Thiefbucket", "target": null }, { "id": "Rustdoor", "display_name": "Rustdoor", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1505.002", "name": "Transport Agent", "display_name": "T1505.002 - Transport Agent" }, { "id": "T1547.010", "name": "Port Monitors", "display_name": "T1547.010 - Port Monitors" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "display_name": "T1546.003 - Windows Management Instrumentation Event Subscription" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "66f108f350873928856d1b48", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "URL": 2, "domain": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e96761128c224abbd172fe", "name": "Jamf Threat Labs Observes Targeted Attacks Amid FBI Warnings", "description": "", "modified": "2024-10-17T11:04:02.069000", "created": "2024-09-17T11:26:25.754000", "tags": [ "jamf threat", "labs", "dprk", "jamf", "linkedin", "hr team" ], "references": [ "https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "URL": 2, "domain": 4 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://open.substack.com/pub/intelinsights/p/host-long-and-prosper?utm_source=share&utm_medium=android&r=5l6xoe", "https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/" ], "related": { "alienvault": { "adversary": [ "Democratic People's Republic of Korea (DPRK)" ], "malware_families": [ "Rustdoor", "Thiefbucket" ], "industries": [ "Finance", "Technology" ] }, "other": { "adversary": [ "Democratic People's Republic of Korea (DPRK)" ], "malware_families": [ "Rustdoor", "Thiefbucket", "Prospero" ], "industries": [ "Finance", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "66e98a4297c7a88ba6af3431", "name": "Observes Targeted Attacks Amid FBI Warnings", "description": "The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious coding challenges and techniques to install backdoor malware, steal credentials, and maintain persistence. Analysis of the malware's capabilities, updates, and command-and-control infrastructure is provided.", "modified": "2024-10-17T13:00:37.185000", "created": "2024-09-17T13:55:14.714000", "tags": [ "northkorea", "thiefbucket", "rustdoor", "socialengineering", "infostealer", "malware", "cryptoindustry", "backdoor" ], "references": [ "https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/" ], "public": 1, "adversary": "Democratic People's Republic of Korea (DPRK)", "targeted_countries": [], "malware_families": [ { "id": "Thiefbucket", "display_name": "Thiefbucket", "target": null }, { "id": "Rustdoor", "display_name": "Rustdoor", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1505.002", "name": "Transport Agent", "display_name": "T1505.002 - Transport Agent" }, { "id": "T1547.010", "name": "Port Monitors", "display_name": "T1547.010 - Port Monitors" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "display_name": "T1546.003 - Windows Management Instrumentation Event Subscription" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "URL": 2, "domain": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386728, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6859c8ef916c064a0466ab46", "name": "Host Long and Prosper: Uncovering Crypto Exchange Phishing Infrastructure via Prospero Networks.", "description": "A detailed threat hunting investigation into Prospero Networks (AS 200593) reveals a large-scale cryptocurrency exchange impersonation campaign. The analysis identifies over 200 malicious indicators across multiple ASNs, including fake crypto exchanges using names like \"Yukitale\" and \"cryptavex.\" The research demonstrates advanced hunting techniques using DNS data and header analysis to uncover fresh, unreported infrastructure hosting phishing sites targeting crypto users, banking customers, and streaming services. The campaign spans multiple themes including cryptocurrency, Netflix/streaming, banking, and logistics phishing, with evidence suggesting coordination by Ukrainian threat actors.", "modified": "2025-07-23T21:02:57.552000", "created": "2025-06-23T21:36:47.688000", "tags": [ "validin", "prospero", "ip blocks", "first", "february", "host", "domains", "crypto", "shiping", "logistics", "cluster" ], "references": [ "https://open.substack.com/pub/intelinsights/p/host-long-and-prosper?utm_source=share&utm_medium=android&r=5l6xoe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Prospero", "display_name": "Prospero", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "FileHash-MD5": 1, "domain": 178, "URL": 97, "hostname": 8, "FileHash-SHA256": 1 }, "indicator_count": 287, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "312 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f67abbd79b33250fc28e1c", "name": "Rustdoor Malware", "description": "Rustdoor Malware", "modified": "2024-10-27T09:03:48.667000", "created": "2024-09-27T09:28:27.177000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 89, "modified_text": "582 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e998f85770285b5e00a459", "name": "LinkedIn Cryptocurrency Users Targeted by North Korean Attackers", "description": "", "modified": "2024-10-17T14:02:59.681000", "created": "2024-09-17T14:58:00.374000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "domain": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f108f350873928856d1b48", "name": "Jamf Threat Labs observes targeted attacks amid FBI warnings ", "description": "", "modified": "2024-10-17T13:00:37.185000", "created": "2024-09-23T06:21:39.029000", "tags": [ "northkorea", "thiefbucket", "rustdoor", "socialengineering", "infostealer", "malware", "cryptoindustry", "backdoor" ], "references": [ "https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/" ], "public": 1, "adversary": "Democratic People's Republic of Korea (DPRK)", "targeted_countries": [], "malware_families": [ { "id": "Thiefbucket", "display_name": "Thiefbucket", "target": null }, { "id": "Rustdoor", "display_name": "Rustdoor", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1505.002", "name": "Transport Agent", "display_name": "T1505.002 - Transport Agent" }, { "id": "T1547.010", "name": "Port Monitors", "display_name": "T1547.010 - Port Monitors" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "display_name": "T1546.003 - Windows Management Instrumentation Event Subscription" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "66e98a4297c7a88ba6af3431", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "URL": 2, "domain": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f12b4950a77de1e4e45ce2", "name": "Jamf Threat Labs observes targeted attacks amid FBI warnings", "description": "", "modified": "2024-10-17T13:00:37.185000", "created": "2024-09-23T08:48:09.100000", "tags": [ "northkorea", "thiefbucket", "rustdoor", "socialengineering", "infostealer", "malware", "cryptoindustry", "backdoor" ], "references": [ "https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/" ], "public": 1, "adversary": "Democratic People's Republic of Korea (DPRK)", "targeted_countries": [], "malware_families": [ { "id": "Thiefbucket", "display_name": "Thiefbucket", "target": null }, { "id": "Rustdoor", "display_name": "Rustdoor", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1505.002", "name": "Transport Agent", "display_name": "T1505.002 - Transport Agent" }, { "id": "T1547.010", "name": "Port Monitors", "display_name": "T1547.010 - Port Monitors" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "display_name": "T1546.003 - Windows Management Instrumentation Event Subscription" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "66f108f350873928856d1b48", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "URL": 2, "domain": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e96761128c224abbd172fe", "name": "Jamf Threat Labs Observes Targeted Attacks Amid FBI Warnings", "description": "", "modified": "2024-10-17T11:04:02.069000", "created": "2024-09-17T11:26:25.754000", "tags": [ "jamf threat", "labs", "dprk", "jamf", "linkedin", "hr team" ], "references": [ "https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "URL": 2, "domain": 4 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "wiresapplication.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "wiresapplication.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780339175.5584323 }