{ "type": "Domain", "indicator": "worm.ws", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/worm.ws", "alexa": "http://www.alexa.com/siteinfo/worm.ws", "indicator": "worm.ws", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2660744457, "indicator": "worm.ws", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "14 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5cc6a313b7dbe820ae888310", "name": "Nemucod - Malware Domain Feed V2", "description": "Command and Control domains for malware known as Nemucod. These domains are extracted from malware sandbox reports using a Machine Learning model trained on a corpus of good and bad domains.", "modified": "2026-05-28T16:07:38.640000", "created": "2019-04-29T07:09:07.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 53, "hostname": 14 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 1104, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5edab7b975540cfbfbd46ff0", "name": "Phorpiex - Malware Domain Feed V2", "description": "Command and Control domains for Phorpiex. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-30T09:06:42.985000", "created": "2020-06-05T21:23:05.297000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 593805, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 267, "hostname": 2 }, "indicator_count": 269, "is_author": false, "is_subscribing": null, "subscriber_count": 582, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5eb18f2f8a1b88cc8d48a8ae", "name": "Nemucod - Malware Domain Feed V2", "description": "Command and Control domains for Nemucod. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-30T08:17:12.475000", "created": "2020-05-05T16:07:11.029000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 49, "hostname": 12 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 580, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5cc055a824f90d34eb5887ec", "name": "Phorpiex - Malware Domain Feed V2", "description": "Command and Control domains for malware known as Phorpiex. These domains are extracted from malware sandbox reports using a Machine Learning model trained on a corpus of good and bad domains.", "modified": "2026-04-14T01:40:16.063000", "created": "2019-04-24T12:25:12.400000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 80, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 241, "hostname": 3 }, "indicator_count": 244, "is_author": false, "is_subscribing": null, "subscriber_count": 1090, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e9422a3684f74fa1d48a7b", "name": "AS17444", "description": "", "modified": "2026-02-16T01:47:32.892000", "created": "2025-03-30T13:07:54.378000", "tags": [], "references": [ "https://www.virustotal.com/graph/g50cc08bd96a9492eb8bbe6efdb32b9b9b513b2b618a74cae9b1bedec4c73ad55" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 101, "FileHash-SHA256": 331, "URL": 429, "domain": 149, "hostname": 99 }, "indicator_count": 1223, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696ab992042bf045c796d576", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(127), Sliver(44), Cobalt Strike(42). Source: abuse.ch ThreatFox API. SSL enriched: 58 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T22:20:02.356000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 30, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696ac09dd56a38c1a3a9b0a9", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(127), Sliver(44), Cobalt Strike(42). Source: abuse.ch ThreatFox API. SSL enriched: 58 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T22:50:05.427000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "domain": 29, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696aab8238a282cf393e2db8", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(124), Sliver(44), Cobalt Strike(42). Source: abuse.ch ThreatFox API. SSL enriched: 57 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T21:04:57.122000", "created": "2026-01-16T21:20:02.305000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 33, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 137, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696ab28c95b166de6890c5cf", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(124), Sliver(44), Cobalt Strike(42). Source: abuse.ch ThreatFox API. SSL enriched: 57 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T21:04:57.122000", "created": "2026-01-16T21:50:04.199000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 33, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 137, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a9d74f9bdf3767989ec68", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(124), Sliver(44), Cobalt Strike(42). Source: abuse.ch ThreatFox API. SSL enriched: 59 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T20:02:29.556000", "created": "2026-01-16T20:20:04.018000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "domain": 34, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 137, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696aa47e96c0cb4622baf800", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(124), Sliver(44), Cobalt Strike(42). Source: abuse.ch ThreatFox API. SSL enriched: 59 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T20:02:29.556000", "created": "2026-01-16T20:50:06.406000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 33, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 137, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a8f633aa8863587306113", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(122), Sliver(44), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 58 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T19:04:12.861000", "created": "2026-01-16T19:20:03.189000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "domain": 39, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a966e99502dde4c71e968", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(122), Sliver(44), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 58 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T19:04:12.861000", "created": "2026-01-16T19:50:06.761000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "domain": 38, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a8154a07666215cd938d1", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(131), Sliver(46), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 56 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T18:05:00.711000", "created": "2026-01-16T18:20:04.441000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 54, "domain": 51, "FileHash-MD5": 20 }, "indicator_count": 153, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a885f662e09f079759b04", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(131), Sliver(44), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 56 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T18:05:00.711000", "created": "2026-01-16T18:50:07.848000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 54, "domain": 43, "FileHash-MD5": 20 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a6fdca267d31c25a456bd", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(131), Sliver(46), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 55 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T17:04:01.274000", "created": "2026-01-16T17:05:32.102000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 53, "domain": 60, "FileHash-MD5": 20, "hostname": 23 }, "indicator_count": 156, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a7363882c0e30a358088a", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(131), Sliver(46), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 55 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T17:04:01.274000", "created": "2026-01-16T17:20:35.764000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 53, "domain": 60, "FileHash-MD5": 20, "hostname": 23 }, "indicator_count": 156, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a7529df72b03cf07767c6", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(131), Sliver(46), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 55 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T17:04:01.274000", "created": "2026-01-16T17:28:09.800000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 60, "URL": 53, "FileHash-MD5": 20, "hostname": 23 }, "indicator_count": 156, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a7a49cae21f666ff9c301", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(131), Sliver(46), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 55 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T17:04:01.274000", "created": "2026-01-16T17:50:01.350000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 60, "URL": 53, "FileHash-MD5": 20, "hostname": 23 }, "indicator_count": 156, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a6534c455be5ba9f51c2d", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(111), Sliver(46), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 23 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T16:04:16.648000", "created": "2026-01-16T16:20:04.257000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 22, "domain": 84, "URL": 51 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a6c3fa552ab6c2a8bb4c8", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(131), Sliver(46), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 23 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T16:04:16.648000", "created": "2026-01-16T16:50:07.427000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 53, "hostname": 23, "FileHash-MD5": 20, "domain": 60 }, "indicator_count": 156, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a5722609b2498d4e63c78", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(101), Sliver(45), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 61 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T15:00:02.587000", "created": "2026-01-16T15:20:02.786000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 20, "domain": 94, "URL": 51 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a5e2d8456ca0543dffed2", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(112), Sliver(45), Cobalt Strike(43). Source: abuse.ch ThreatFox API. SSL enriched: 61 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T15:00:02.587000", "created": "2026-01-16T15:50:05.616000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 94, "hostname": 20, "URL": 51 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a49170c5dee79e6b43733", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(102), Sliver(44), Cobalt Strike(41). Source: abuse.ch ThreatFox API. SSL enriched: 61 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T14:01:43.436000", "created": "2026-01-16T14:20:07.530000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 45, "domain": 111, "hostname": 12 }, "indicator_count": 168, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a501e4fe83c7a20725856", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(102), Sliver(45), Cobalt Strike(41). Source: abuse.ch ThreatFox API. SSL enriched: 61 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T14:01:43.436000", "created": "2026-01-16T14:50:06.213000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 14, "domain": 108, "URL": 45 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a3b03269e4a63914dd2ab", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(101), Sliver(44), Cobalt Strike(41). Source: abuse.ch ThreatFox API. SSL enriched: 63 IPs with HTTPS, 24 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T13:02:57.338000", "created": "2026-01-16T13:20:03.187000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 41, "domain": 116, "hostname": 12 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a420c349ab6a1d3ea1c34", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(101), Sliver(44), Cobalt Strike(41). Source: abuse.ch ThreatFox API. SSL enriched: 63 IPs with HTTPS, 24 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T13:02:57.338000", "created": "2026-01-16T13:50:04.246000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 45, "domain": 112, "hostname": 12 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a2cf8a9f301adb2735e6b", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(63), Sliver(44), AsyncRAT(43). Source: abuse.ch ThreatFox API. SSL enriched: 64 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T12:01:01.586000", "created": "2026-01-16T12:20:08.946000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 133, "hostname": 12, "URL": 28 }, "indicator_count": 173, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696a33fdbbe17d7294fe0232", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(64), Sliver(44), AsyncRAT(43). Source: abuse.ch ThreatFox API. SSL enriched: 64 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T12:01:01.586000", "created": "2026-01-16T12:50:05.821000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "domain": 133, "hostname": 12 }, "indicator_count": 172, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696bbf89bc1d095b6f266aec", "name": "ThreatFox Hunt: Phorpiex IOCs - 2026-01-17", "description": "Automated ThreatFox hunt for Phorpiex indicators. 238 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-17T16:57:45.547000", "created": "2026-01-17T16:57:45.547000", "tags": [ "phorpiex", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Phorpiex", "display_name": "Phorpiex", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 115, "domain": 123 }, "indicator_count": 238, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "133 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b72c6cff1c7b411f9cd17", "name": "PreCog Sweep - 2026-01-17 11h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T11:30:14.521000", "created": "2026-01-17T11:30:14.521000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 172, "domain": 142, "hostname": 32 }, "indicator_count": 346, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b706d44e778ead16be3c7", "name": "PreCog Sweep - 2026-01-17 11h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T11:20:13.541000", "created": "2026-01-17T11:20:13.541000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 172, "domain": 142, "hostname": 32 }, "indicator_count": 346, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b6bbef16e8ca2dd6ddb26", "name": "PreCog Sweep - 2026-01-17 11h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T11:00:14.235000", "created": "2026-01-17T11:00:14.235000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 142, "hostname": 35, "URL": 182 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b6966180bc03367a105b9", "name": "PreCog Sweep - 2026-01-17 10h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T10:50:14.177000", "created": "2026-01-17T10:50:14.177000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 182, "hostname": 36, "domain": 140 }, "indicator_count": 358, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b670d59cfa733127f07d6", "name": "PreCog Sweep - 2026-01-17 10h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T10:40:13.555000", "created": "2026-01-17T10:40:13.555000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 182, "hostname": 36, "domain": 140 }, "indicator_count": 358, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b64b70faf2418493ba9b8", "name": "PreCog Sweep - 2026-01-17 10h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T10:30:15.250000", "created": "2026-01-17T10:30:15.250000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 182, "hostname": 37, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b625e4490c88cf27b7730", "name": "PreCog Sweep - 2026-01-17 10h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T10:20:14.457000", "created": "2026-01-17T10:20:14.457000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 182, "hostname": 37, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b6005675a148f61cd3073", "name": "PreCog Sweep - 2026-01-17 10h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T10:10:13.911000", "created": "2026-01-17T10:10:13.911000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 182, "hostname": 37, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b5daeeca495f8492f7096", "name": "PreCog Sweep - 2026-01-17 10h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T10:00:14.912000", "created": "2026-01-17T10:00:14.912000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 182, "hostname": 37, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b5b55580b0dae3846c1f4", "name": "PreCog Sweep - 2026-01-17 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T09:50:13.244000", "created": "2026-01-17T09:50:13.244000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 182, "hostname": 37, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b58fdd60cd3934fa9a12d", "name": "PreCog Sweep - 2026-01-17 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T09:40:13.874000", "created": "2026-01-17T09:40:13.874000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 182, "hostname": 37, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b56a487e7db5c9cf6378b", "name": "PreCog Sweep - 2026-01-17 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T09:30:12.779000", "created": "2026-01-17T09:30:12.779000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 181, "hostname": 38, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b544e12e1c6caeb7c27c3", "name": "PreCog Sweep - 2026-01-17 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T09:20:14.704000", "created": "2026-01-17T09:20:14.704000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 181, "hostname": 38, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b51f50b44661c985c98fe", "name": "PreCog Sweep - 2026-01-17 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T09:10:13.711000", "created": "2026-01-17T09:10:13.711000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 181, "hostname": 38, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b4f9ec889ea8d9bffbc51", "name": "PreCog Sweep - 2026-01-17 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T09:00:14.442000", "created": "2026-01-17T09:00:14.442000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 181, "hostname": 38, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b4d47cdb924a524247a53", "name": "PreCog Sweep - 2026-01-17 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T08:50:15.606000", "created": "2026-01-17T08:50:15.606000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 181, "hostname": 38, "domain": 140 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b4aed05046cd8e49bccb2", "name": "PreCog Sweep - 2026-01-17 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T08:40:13.242000", "created": "2026-01-17T08:40:13.242000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 181, "hostname": 59, "domain": 140 }, "indicator_count": 380, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b4896a95f5755d92d0a74", "name": "PreCog Sweep - 2026-01-17 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T08:30:14.045000", "created": "2026-01-17T08:30:14.045000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 181, "hostname": 59, "domain": 140 }, "indicator_count": 380, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696b463d8d8f527419700749", "name": "PreCog Sweep - 2026-01-17 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-17T08:20:13.525000", "created": "2026-01-17T08:20:13.525000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 181, "hostname": 59, "domain": 140 }, "indicator_count": 380, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://threatfox.abuse.ch", "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://analytics.dugganusa.com/api/v1/stix/master", "https://www.virustotal.com/graph/g50cc08bd96a9492eb8bbe6efdb32b9b9b513b2b618a74cae9b1bedec4c73ad55", "https://github.com/pduggusa/dugganusa-research" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cobalt strike", "Formbook", "Asyncrat", "Phorpiex", "Unknown malware", "Sliver" ], "industries": [ "Industrial", "Government", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "14 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5cc6a313b7dbe820ae888310", "name": "Nemucod - Malware Domain Feed V2", "description": "Command and Control domains for malware known as Nemucod. These domains are extracted from malware sandbox reports using a Machine Learning model trained on a corpus of good and bad domains.", "modified": "2026-05-28T16:07:38.640000", "created": "2019-04-29T07:09:07.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 53, "hostname": 14 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 1104, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5edab7b975540cfbfbd46ff0", "name": "Phorpiex - Malware Domain Feed V2", "description": "Command and Control domains for Phorpiex. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-30T09:06:42.985000", "created": "2020-06-05T21:23:05.297000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 593805, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 267, "hostname": 2 }, "indicator_count": 269, "is_author": false, "is_subscribing": null, "subscriber_count": 582, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5eb18f2f8a1b88cc8d48a8ae", "name": "Nemucod - Malware Domain Feed V2", "description": "Command and Control domains for Nemucod. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-30T08:17:12.475000", "created": "2020-05-05T16:07:11.029000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 49, "hostname": 12 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 580, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5cc055a824f90d34eb5887ec", "name": "Phorpiex - Malware Domain Feed V2", "description": "Command and Control domains for malware known as Phorpiex. These domains are extracted from malware sandbox reports using a Machine Learning model trained on a corpus of good and bad domains.", "modified": "2026-04-14T01:40:16.063000", "created": "2019-04-24T12:25:12.400000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 80, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 241, "hostname": 3 }, "indicator_count": 244, "is_author": false, "is_subscribing": null, "subscriber_count": 1090, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e9422a3684f74fa1d48a7b", "name": "AS17444", "description": "", "modified": "2026-02-16T01:47:32.892000", "created": "2025-03-30T13:07:54.378000", "tags": [], "references": [ "https://www.virustotal.com/graph/g50cc08bd96a9492eb8bbe6efdb32b9b9b513b2b618a74cae9b1bedec4c73ad55" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 101, "FileHash-SHA256": 331, "URL": 429, "domain": 149, "hostname": 99 }, "indicator_count": 1223, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696ab992042bf045c796d576", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(127), Sliver(44), Cobalt Strike(42). Source: abuse.ch ThreatFox API. SSL enriched: 58 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T22:20:02.356000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 30, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696ac09dd56a38c1a3a9b0a9", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(127), Sliver(44), Cobalt Strike(42). Source: abuse.ch ThreatFox API. SSL enriched: 58 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T22:50:05.427000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "domain": 29, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696aab8238a282cf393e2db8", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(124), Sliver(44), Cobalt Strike(42). Source: abuse.ch ThreatFox API. SSL enriched: 57 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T21:04:57.122000", "created": "2026-01-16T21:20:02.305000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 33, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 137, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "696ab28c95b166de6890c5cf", "name": "OSINT Volley 2026-01-16 - Formbook/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Formbook(389), Phorpiex(238), Unknown malware(124), Sliver(44), Cobalt Strike(42). Source: abuse.ch ThreatFox API. SSL enriched: 57 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-15T21:04:57.122000", "created": "2026-01-16T21:50:04.199000", "tags": [ "osint-volley", "threatfox", "automated", "formbook", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 33, "hostname": 28, "FileHash-MD5": 20 }, "indicator_count": 137, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "worm.ws", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "worm.ws", "found": true, "verdict": "malicious", "url_count": 3, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://worm.ws:8080/winsysdrv.exe", "status": "offline", "threat": "malware_download", "date_added": "2020-11-05", "tags": [ "CoinMiner", "exe" ] }, { "url": "http://worm.ws/avv.exe", "status": "offline", "threat": "malware_download", "date_added": "2020-10-25", "tags": [ "exe", "phorpiex" ] }, { "url": "http://worm.ws/32.exe", "status": "offline", "threat": "malware_download", "date_added": "2020-09-29", "tags": [ "CoinMiner", "CoinMiner.XMRig", "exe", "phorpiex", "Smoke Loader" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780242011.6245584 }