{ "type": "Domain", "indicator": "wirexpro.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/wirexpro.com", "alexa": "http://www.alexa.com/siteinfo/wirexpro.com", "indicator": "wirexpro.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3203062446, "indicator": "wirexpro.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44164, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 386655, "modified_text": "239 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642bced38fc9a6b1486ef7eb", "name": "Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack", "description": "Security firm Kaspersky has published a new blog regarding a backdoor that was deployed through the supply chain attack on 3CX, in combination with an info-stealer. The 3cx supply chain attack infected companies all over the world, especially in France, Italy, Germany, and Brazil. The gopuram backdoor might be the main implant and the final payload in the attack chain. This implant was deployed in less than 10 machines only.", "modified": "2023-04-04T07:16:34.290000", "created": "2023-04-04T07:16:34.290000", "tags": [ "lazarus", "gopuram", "apt", "backdoor", "data theft", "targeted attacks", "c2 server", "supply chain attack", "espionage" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "France", "Italy", "Germany", "Brazil" ], "malware_families": [ { "id": "Gopuram", "display_name": "Gopuram", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 373, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386655, "modified_text": "1154 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6389ba34f94a8d7d10c250e8", "name": "Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware", "description": "In February 2021, CISA published an advisory concerning the AppleJeus malware. The advisory describes the variants observed from 2018 to 2021. Volexity has identified a similar campaign taking place between June and October 2022 using new variants of AppleJeus. The campaign from June 2022 follows the same broad pattern as the one described by CISA: a cryptocurrency application packaged in a malicious MSI file.", "modified": "2022-12-02T10:34:54.220000", "created": "2022-12-02T08:41:24.880000", "tags": [ "lazarus", "applejeus", "bitcoin", "trojan" ], "references": [ "https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "AppleJeus", "display_name": "AppleJeus", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 396, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 9, "FileHash-SHA256": 17, "URL": 1, "domain": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386656, "modified_text": "1277 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64886ada7313b886df588f8f", "name": "domains", "description": "domains", "modified": "2023-06-13T13:10:50.659000", "created": "2023-06-13T13:10:50.659000", "tags": [ "domain" ], "references": [ "entities (48).csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ASQ505sa", "id": "217420", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 23, "domain": 91 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1083 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647dcc6d873f676e172ee39b", "name": "Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack", "description": "", "modified": "2023-06-05T11:52:13.602000", "created": "2023-06-05T11:52:13.602000", "tags": [ "lazarus", "gopuram", "apt", "backdoor", "data theft", "targeted attacks", "c2 server", "supply chain attack", "espionage" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "France", "Italy", "Germany", "Brazil" ], "malware_families": [ { "id": "Gopuram", "display_name": "Gopuram", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": "6478562a5ec5fca816e6cc71", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1091 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6478562a5ec5fca816e6cc71", "name": "Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack", "description": "", "modified": "2023-06-01T08:26:18.968000", "created": "2023-06-01T08:26:18.968000", "tags": [ "lazarus", "gopuram", "apt", "backdoor", "data theft", "targeted attacks", "c2 server", "supply chain attack", "espionage" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "France", "Italy", "Germany", "Brazil" ], "malware_families": [ { "id": "Gopuram", "display_name": "Gopuram", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": "642bced38fc9a6b1486ef7eb", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1096 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647856193964f470540e4fc6", "name": "Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack", "description": "", "modified": "2023-06-01T08:26:01.324000", "created": "2023-06-01T08:26:01.324000", "tags": [ "lazarus", "gopuram", "apt", "backdoor", "data theft", "targeted attacks", "c2 server", "supply chain attack", "espionage" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "France", "Italy", "Germany", "Brazil" ], "malware_families": [ { "id": "Gopuram", "display_name": "Gopuram", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": "642bced38fc9a6b1486ef7eb", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1096 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642cb0fd98d6f08dc71fe125", "name": "InQuest - 04-04-2023", "description": "", "modified": "2023-05-04T23:04:14.165000", "created": "2023-04-04T23:21:33.905000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 50, "hostname": 302, "URL": 1673, "domain": 1023, "FileHash-SHA1": 23, "FileHash-MD5": 33 }, "indicator_count": 3104, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "1123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642b5ecd21d334f86abdc3ee", "name": "InQuest - 03-04-2023", "description": "", "modified": "2023-05-03T23:00:14.992000", "created": "2023-04-03T23:18:37.528000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 287, "URL": 1696, "FileHash-SHA256": 73, "domain": 1158, "FileHash-MD5": 21, "FileHash-SHA1": 20 }, "indicator_count": 3255, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64402799bc830848d7832260", "name": "Gopuram Deployed within 3CX Attack", "description": "On 3 April 2023, Kaspersky reported that the 3CX supply chain attack dropped the Gopuram backdoor. Kaspersky discovered that the threat actor specifically targeted cryptocurrency companies. In addition to dropping the infostealer, they also dropped two files on infected machines, which loads Gopuram\u2019s main module. Kaspersky has attributed the 3CX campaign to the Lazarus threat actor with medium to high confidence. This is an advanced threat likely operating now, targeting cryptocurrency organizations. Even though the initial compromise was widespread, actual post-exploitation infections are currently reported as limited and customers do not fit the adversary\u2019s interest and makes the likelihood of compromise lower than normal. ATI recommends mitigative action occur within the normal business cycle, which includes incorporating the hashes in your defense-in-depth-strategy and updating or uninstalling the 3CX desktop client.", "modified": "2023-04-19T17:40:41.231000", "created": "2023-04-19T17:40:41.231000", "tags": [ "dw-osint-cib" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "France", "Italy", "Germany", "Brazil" ], "malware_families": [ { "id": "Roaming Mantis", "display_name": "Roaming Mantis", "target": null }, { "id": "Gopuram", "display_name": "Gopuram", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Transportation", "Agriculture", "Government", "Finance", "Cryptocurrency" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "1138 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642d485892780b90e76da3dd", "name": "Gopuram 3CXDesktop supply chain Campaign", "description": "On March 29, Crowdstrike published a report about a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. Since then, the security community has started analyzing the attack and sharing their findings. The following has been discovered so far:\n\u2022\tThe infection is spread via 3CXDesktopApp MSI installers. An installer for macOS has also been trojanized.\n\u2022\tThe malicious installation package contains an infected dll library that decrypts a shellcode from the d3dcompiler_47.dll library\u2019s overlay and executes it.\n\u2022\tThe decrypted payload extracts C2 server URLs from icons stored in a GitHub repository (the repository is removed).\n\u2022\tThe payload connects to one of the C2 servers, downloads an infostealer and starts it.\n\u2022\tThe infostealer collects system information and browser history, then sends it to the C2 server.", "modified": "2023-04-05T10:07:20.061000", "created": "2023-04-05T10:07:20.061000", "tags": [ "gopuram", "3CX", "Trojan", "Supply chain", "Lazarus" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/", "https://thehackernews.com/2023/03/3cx-desktop-app-targeted-in-supply.html" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "gopuram", "display_name": "gopuram", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FilePath": 2, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "638ddf112cb7b34158e85537", "name": "Hackers Spread AppleJeus Malware Disguised as Cryptocurrency Apps", "description": "The Lazarus Group threat actor has been observed leveraging fake cryptocurrency apps as a lure to deliver a previously undocumented version of the AppleJeus malware, according to new findings from Volexity.\n\n\"This activity notably involves a campaign likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by way of malicious Microsoft Office documents,\" researchers Callum Roxan, Paul Rascagneres, and Robert Jan Mora said.\n\nThe North Korean government is known to adopt a three-pronged approach by employing malicious cyber activity designed to collect intelligence, conduct attacks, and generate illicit revenue for the sanctions hit nation. The threats are collectively tracked under the name Lazarus Group (aka Hidden Cobra or Zinc).", "modified": "2023-01-05T01:05:11.215000", "created": "2022-12-05T12:07:45.681000", "tags": [ "msi installer", "applejeus", "applejeus c2", "Sandworm", "Execution", "Malware" ], "references": [ "https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "AppleJeus (OS X)", "display_name": "AppleJeus (OS X)", "target": null }, { "id": "AppleJeus (Windows)", "display_name": "AppleJeus (Windows)", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 296, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 42, "FileHash-SHA1": 42, "FileHash-SHA256": 44, "domain": 34, "CVE": 1 }, "indicator_count": 163, "is_author": false, "is_subscribing": null, "subscriber_count": 253, "modified_text": "1243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6396e9c2546890a3546f8d85", "name": "\u20bfuyer \u20bfeware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware", "description": "Lazarus Group: nuove offensive colpiscono societ\u00e0 operanti nel settore delle", "modified": "2022-12-12T08:43:46.691000", "created": "2022-12-12T08:43:46.691000", "tags": [ "Lazarus Group" ], "references": [ "2649960.misp-json", "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/", "https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/", "https://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-SHA256": 18, "FileHash-MD5": 12, "FileHash-SHA1": 12 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 211, "modified_text": "1267 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63931413219f2b0bc66b8770", "name": "Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware", "description": "", "modified": "2022-12-09T10:55:15.293000", "created": "2022-12-09T10:55:15.293000", "tags": [ "lazarus", "applejeus", "korean lazarus", "lazarus group", "windows", "haasonline", "appdata", "apt38", "apts", "january", "team", "april" ], "references": [ "https://www.malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "AppleJeus", "display_name": "AppleJeus", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1269 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63927abf7ab366ea14a9121b", "name": "Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware", "description": "", "modified": "2022-12-09T00:01:03.371000", "created": "2022-12-09T00:01:03.371000", "tags": [ "OSINT", "Lazarus", "APT38", "AppleJeus", "DLLsideloading", "T1574.002", "T1574.001" ], "references": [ "https://community.riskiq.com/article/241b380a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "domain": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1270 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "638f3df5de715aabae0ba42c", "name": "Lazarus Use Fake Crypto Apps Under the BloxHolder Brand", "description": "", "modified": "2022-12-06T13:04:52.067000", "created": "2022-12-06T13:04:52.067000", "tags": [], "references": [ "Lazarus Use Fake Crypto Apps Under the BloxHolder Brand" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 16, "domain": 6 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1272 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "638dca3f1ddc962091299327", "name": "\u20bfuyer \u20bfeware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware | Volexity", "description": "Volexity, a security firm, has published an analysis of recent variants of the AppleJeus malware that is used by North Korean hackers to launch attacks on cryptocurrency users and other targets.", "modified": "2022-12-05T10:38:55.906000", "created": "2022-12-05T10:38:55.906000", "tags": [ "lazarus", "applejeus", "volexity", "lazarus group", "dll sideloading", "figure", "msi installer", "applejeus c2", "cisa", "june", "msi file", "front", "malicious", "february", "service" ], "references": [ "https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "AppleJeus", "display_name": "AppleJeus", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 16, "FileHash-SHA256": 17, "CVE": 1, "URL": 2, "domain": 7 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1274 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/", "Lazarus Use Fake Crypto Apps Under the BloxHolder Brand", "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/", "https://www.malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware", "https://community.riskiq.com/article/241b380a", "https://thehackernews.com/2023/03/3cx-desktop-app-targeted-in-supply.html", "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops", "https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/", "entities (48).csv", "https://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png", "2649960.misp-json", "https://labs.inquest.net/iocdb" ], "related": { "alienvault": { "adversary": [ "Contagious Interview", "Lazarus" ], "malware_families": [ "Applejeus", "Gopuram" ], "industries": [ "Finance", "Technology", "Cryptocurrency" ] }, "other": { "adversary": [ "Lazarus Group", "Lazarus" ], "malware_families": [ "Gopuram", "Roaming mantis", "Applejeus", "Applejeus (os x)", "Applejeus (windows)" ], "industries": [ "Finance", "Government", "Agriculture", "Transportation", "Cryptocurrency" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44164, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 386655, "modified_text": "239 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642bced38fc9a6b1486ef7eb", "name": "Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack", "description": "Security firm Kaspersky has published a new blog regarding a backdoor that was deployed through the supply chain attack on 3CX, in combination with an info-stealer. The 3cx supply chain attack infected companies all over the world, especially in France, Italy, Germany, and Brazil. The gopuram backdoor might be the main implant and the final payload in the attack chain. This implant was deployed in less than 10 machines only.", "modified": "2023-04-04T07:16:34.290000", "created": "2023-04-04T07:16:34.290000", "tags": [ "lazarus", "gopuram", "apt", "backdoor", "data theft", "targeted attacks", "c2 server", "supply chain attack", "espionage" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "France", "Italy", "Germany", "Brazil" ], "malware_families": [ { "id": "Gopuram", "display_name": "Gopuram", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 373, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386655, "modified_text": "1154 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6389ba34f94a8d7d10c250e8", "name": "Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware", "description": "In February 2021, CISA published an advisory concerning the AppleJeus malware. The advisory describes the variants observed from 2018 to 2021. Volexity has identified a similar campaign taking place between June and October 2022 using new variants of AppleJeus. The campaign from June 2022 follows the same broad pattern as the one described by CISA: a cryptocurrency application packaged in a malicious MSI file.", "modified": "2022-12-02T10:34:54.220000", "created": "2022-12-02T08:41:24.880000", "tags": [ "lazarus", "applejeus", "bitcoin", "trojan" ], "references": [ "https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "AppleJeus", "display_name": "AppleJeus", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 396, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 9, "FileHash-SHA256": 17, "URL": 1, "domain": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386656, "modified_text": "1277 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64886ada7313b886df588f8f", "name": "domains", "description": "domains", "modified": "2023-06-13T13:10:50.659000", "created": "2023-06-13T13:10:50.659000", "tags": [ "domain" ], "references": [ "entities (48).csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ASQ505sa", "id": "217420", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 23, "domain": 91 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1083 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647dcc6d873f676e172ee39b", "name": "Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack", "description": "", "modified": "2023-06-05T11:52:13.602000", "created": "2023-06-05T11:52:13.602000", "tags": [ "lazarus", "gopuram", "apt", "backdoor", "data theft", "targeted attacks", "c2 server", "supply chain attack", "espionage" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "France", "Italy", "Germany", "Brazil" ], "malware_families": [ { "id": "Gopuram", "display_name": "Gopuram", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": "6478562a5ec5fca816e6cc71", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1091 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6478562a5ec5fca816e6cc71", "name": "Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack", "description": "", "modified": "2023-06-01T08:26:18.968000", "created": "2023-06-01T08:26:18.968000", "tags": [ "lazarus", "gopuram", "apt", "backdoor", "data theft", "targeted attacks", "c2 server", "supply chain attack", "espionage" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "France", "Italy", "Germany", "Brazil" ], "malware_families": [ { "id": "Gopuram", "display_name": "Gopuram", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": "642bced38fc9a6b1486ef7eb", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1096 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647856193964f470540e4fc6", "name": "Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack", "description": "", "modified": "2023-06-01T08:26:01.324000", "created": "2023-06-01T08:26:01.324000", "tags": [ "lazarus", "gopuram", "apt", "backdoor", "data theft", "targeted attacks", "c2 server", "supply chain attack", "espionage" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "France", "Italy", "Germany", "Brazil" ], "malware_families": [ { "id": "Gopuram", "display_name": "Gopuram", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": "642bced38fc9a6b1486ef7eb", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1096 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642cb0fd98d6f08dc71fe125", "name": "InQuest - 04-04-2023", "description": "", "modified": "2023-05-04T23:04:14.165000", "created": "2023-04-04T23:21:33.905000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 50, "hostname": 302, "URL": 1673, "domain": 1023, "FileHash-SHA1": 23, "FileHash-MD5": 33 }, "indicator_count": 3104, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "1123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642b5ecd21d334f86abdc3ee", "name": "InQuest - 03-04-2023", "description": "", "modified": "2023-05-03T23:00:14.992000", "created": "2023-04-03T23:18:37.528000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 287, "URL": 1696, "FileHash-SHA256": 73, "domain": 1158, "FileHash-MD5": 21, "FileHash-SHA1": 20 }, "indicator_count": 3255, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64402799bc830848d7832260", "name": "Gopuram Deployed within 3CX Attack", "description": "On 3 April 2023, Kaspersky reported that the 3CX supply chain attack dropped the Gopuram backdoor. Kaspersky discovered that the threat actor specifically targeted cryptocurrency companies. In addition to dropping the infostealer, they also dropped two files on infected machines, which loads Gopuram\u2019s main module. Kaspersky has attributed the 3CX campaign to the Lazarus threat actor with medium to high confidence. This is an advanced threat likely operating now, targeting cryptocurrency organizations. Even though the initial compromise was widespread, actual post-exploitation infections are currently reported as limited and customers do not fit the adversary\u2019s interest and makes the likelihood of compromise lower than normal. ATI recommends mitigative action occur within the normal business cycle, which includes incorporating the hashes in your defense-in-depth-strategy and updating or uninstalling the 3CX desktop client.", "modified": "2023-04-19T17:40:41.231000", "created": "2023-04-19T17:40:41.231000", "tags": [ "dw-osint-cib" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "France", "Italy", "Germany", "Brazil" ], "malware_families": [ { "id": "Roaming Mantis", "display_name": "Roaming Mantis", "target": null }, { "id": "Gopuram", "display_name": "Gopuram", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Transportation", "Agriculture", "Government", "Finance", "Cryptocurrency" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "1138 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "wirexpro.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "wirexpro.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780311235.3760266 }