{ "type": "Domain", "indicator": "wpseed.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/wpseed.com", "alexa": "http://www.alexa.com/siteinfo/wpseed.com", "indicator": "wpseed.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3910220665, "indicator": "wpseed.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "67ba2d306c60738da31d6f27", "name": "Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia", "description": "Cisco Talos has uncovered a new remote access trojan (RAT) used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia, with lures from Turkmenistan.", "modified": "2025-03-24T20:00:11.422000", "created": "2025-02-22T20:01:52.343000", "tags": [ "rat", "threats", "spicerat", "sneakychef", "c2 server", "html", "cisco secure", "talos", "rar file", "dll loader", "hta file", "windows task", "team", "homepage", "plugx", "umbrella", "sugargh0st rat", "spivy", "sugargh0st", "description", "friday", "june", "download", "february", "generatedthe", "tornet", "path", "span", "button", "link", "script", "template", "github", "form", "footer", "meta", "code", "reload", "find", "close", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact" ], "references": [ "https://blog.talosintelligence.com/new-spicerat-sneakychef/", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/06/new-spicerat-sneakychef.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Angola", "Turkmenistan", "Poland", "Germany" ], "malware_families": [ { "id": "SugarGh0st RAT", "display_name": "SugarGh0st RAT", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "SPIVY", "display_name": "SPIVY", "target": null }, { "id": "SugarGh0st", "display_name": "SugarGh0st", "target": null }, { "id": "generatedThe", "display_name": "generatedThe", "target": null }, { "id": "TorNet", "display_name": "TorNet", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "hostname": 24, "domain": 31, "FileHash-SHA1": 1, "FileHash-SHA256": 25 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "435 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6677d81e103e5cc6ed445b44", "name": "Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia", "description": "", "modified": "2024-07-23T08:01:09.620000", "created": "2024-06-23T08:09:01.754000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "text_account", "id": "221593", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 41, "FileHash-SHA1": 41, "FileHash-SHA256": 863, "URL": 78, "domain": 30, "hostname": 24 }, "indicator_count": 1077, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "679 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/Cisco-Talos/IOCs/blob/main/2024/06/new-spicerat-sneakychef.txt", "https://blog.talosintelligence.com/new-spicerat-sneakychef/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Tornet", "Spivy", "Sugargh0st rat", "Sugargh0st", "Generatedthe", "Plugx" ], "industries": [ "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "67ba2d306c60738da31d6f27", "name": "Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia", "description": "Cisco Talos has uncovered a new remote access trojan (RAT) used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia, with lures from Turkmenistan.", "modified": "2025-03-24T20:00:11.422000", "created": "2025-02-22T20:01:52.343000", "tags": [ "rat", "threats", "spicerat", "sneakychef", "c2 server", "html", "cisco secure", "talos", "rar file", "dll loader", "hta file", "windows task", "team", "homepage", "plugx", "umbrella", "sugargh0st rat", "spivy", "sugargh0st", "description", "friday", "june", "download", "february", "generatedthe", "tornet", "path", "span", "button", "link", "script", "template", "github", "form", "footer", "meta", "code", "reload", "find", "close", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact" ], "references": [ "https://blog.talosintelligence.com/new-spicerat-sneakychef/", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/06/new-spicerat-sneakychef.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Angola", "Turkmenistan", "Poland", "Germany" ], "malware_families": [ { "id": "SugarGh0st RAT", "display_name": "SugarGh0st RAT", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "SPIVY", "display_name": "SPIVY", "target": null }, { "id": "SugarGh0st", "display_name": "SugarGh0st", "target": null }, { "id": "generatedThe", "display_name": "generatedThe", "target": null }, { "id": "TorNet", "display_name": "TorNet", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "hostname": 24, "domain": 31, "FileHash-SHA1": 1, "FileHash-SHA256": 25 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "435 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6677d81e103e5cc6ed445b44", "name": "Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia", "description": "", "modified": "2024-07-23T08:01:09.620000", "created": "2024-06-23T08:09:01.754000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "text_account", "id": "221593", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 41, "FileHash-SHA1": 41, "FileHash-SHA256": 863, "URL": 78, "domain": 30, "hostname": 24 }, "indicator_count": 1077, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "679 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "wpseed.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "wpseed.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780441700.8489065 }