{ "type": "Domain", "indicator": "writeup.live", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/writeup.live", "alexa": "http://www.alexa.com/siteinfo/writeup.live", "indicator": "writeup.live", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4081729589, "indicator": "writeup.live", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69003b85c217870cc5794cc6", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "BlueNoroff, a financially motivated threat actor, has been conducting two sophisticated campaigns dubbed GhostCall and GhostHire. GhostCall targets macOS devices of tech executives and venture capitalists through fake Zoom-like meetings, while GhostHire targets Web3 developers through fake recruitment processes. Both campaigns utilize various malware chains, including ZoomClutch, DownTroy, CosmicDoor, RooTroy, and SilentSiphon. The attacks involve social engineering, AI-enhanced images, and multi-stage malware deployment across Windows, macOS, and Linux systems. BlueNoroff has expanded its focus beyond cryptocurrency theft to comprehensive data acquisition, enabling supply chain attacks and leveraging established trust relationships for broader impact.", "modified": "2025-10-28T09:30:13.914000", "created": "2025-10-28T03:41:57.869000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 386778, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6867a14ec736faf23ba172a2", "name": "macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware", "description": "DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism leveraging signal handlers and deploys AppleScripts as beacons and backdoors. The attack chain begins with social engineering via Telegram, leading to the execution of malicious scripts and binaries. The malware exfiltrates browser data, Keychain credentials, and Telegram user information. The use of Nim introduces new levels of complexity for analysts, blending complex behavior into binaries with less obvious control flow.", "modified": "2025-07-04T09:51:27.428000", "created": "2025-07-04T09:39:26.774000", "tags": [ "process injection", "macos", "nimdoor", "websocket", "applescript", "web3", "cryptocurrency" ], "references": [ "https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware" ], "public": 1, "adversary": "DPRK", "targeted_countries": [], "malware_families": [ { "id": "NimDoor", "display_name": "NimDoor", "target": null } ], "attack_ids": [ { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 22, "FileHash-SHA256": 1, "domain": 4, "hostname": 4 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 386775, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691473b72eee91d1a6b22b4f", "name": "BlueNoroff Group cryptoaffair: \"ghost\" investments and bogus job offers", "description": "The BlueNoroff Group, known by various aliases including APT38 and TA444, has been actively targeting blockchain developers and Web3 executives through its operational campaigns, notably SnatchCrypto. A significant part of this operation involves the GhostCall and GhostHire campaigns, which exploit social engineering tactics. The GhostCall campaign, operational since mid-2023, employs deceptive video conferencing to recruit victims. Attackers masquerade as venture capitalists via platforms like Telegram, using compromised accounts of legitimate entrepreneurs. They initiate contact with potential targets and arrange meetings through spoofed Zoom links or direct messages, utilizing disguised phishing URLs. The attackers leverage multi-stage execution chains; the infection typically begins with the DownTroy malware, which downloads various self-contained executables, including keyloggers and data stealers like CosmicDoor and RooTroy.", "modified": "2025-12-12T11:04:05.038000", "created": "2025-11-12T11:47:02.981000", "tags": [ "apple macos", "apt", "bluenoroff", "chatgpt", "github", "linux", "microsoft windows", "telegram", "windows", "applescript", "zoom", "cosmicdoor", "downtroy", "rootroy", "gillyinjector", "base64", "macos", "rust", "python", "swift", "powershell", "path", "macho", "sapphire", "downexec", "exodus", "target", "agent", "installer", "ditto", "effect", "install", "premium", "zero", "konni", "themida", "lsass", "exodus web3", "lazarus", "huntress", "nim", "c https", "googie llc", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate" ], "references": [ "https://securelist.ru/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/113883/" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "FileHash-MD5": 57, "FileHash-SHA1": 25, "FileHash-SHA256": 33, "domain": 22, "hostname": 23 }, "indicator_count": 188, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69099ae3319099e17ce0969f", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "", "modified": "2025-11-04T06:19:15.728000", "created": "2025-11-04T06:19:15.728000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6901bda4549c558a81dc00a5", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "209 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6902e567c252949d8c75e8c1", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "", "modified": "2025-10-30T04:11:19.757000", "created": "2025-10-30T04:11:19.757000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": "69003b85c217870cc5794cc6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "214 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6901bda4549c558a81dc00a5", "name": "IOC - Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "Primarily focused on financial gain since its appearance, BlueNoroff (aka. Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has adopted new infiltration strategies and malware sets over time, but it still targets blockchain developers, C-level executives, and managers within the Web3/blockchain industry as part of its SnatchCrypto operation. Earlier this year, we conducted research into two malicious campaigns by BlueNoroff under the SnatchCrypto operation, which we dubbed GhostCall and GhostHire.", "modified": "2025-10-29T07:09:24.634000", "created": "2025-10-29T07:09:24.634000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "215 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69010d8cbf528688e76b28a6", "name": "BlueNoroff Targets High Value Victims with New infiltration Methods", "description": "MSTeamsUpdate.sh, Safari update, and other updates are all part of the BBC's Newsround programme, which is broadcast live on BBC One from Monday, 2:00 BST.", "modified": "2025-10-28T18:39:19.476000", "created": "2025-10-28T18:38:04.399000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "216 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688990fa0d8382bd5f02d806", "name": "EbeeJuly2025 Pt1", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T03:04:16.203000", "created": "2025-07-30T03:26:50.115000", "tags": [], "references": [ "Julypt1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 131, "FileHash-SHA1": 144, "FileHash-SHA256": 232, "CIDR": 1, "CVE": 3, "domain": 150, "email": 9, "hostname": 37 }, "indicator_count": 746, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "276 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6891b35f032f4967edf62598", "name": "macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware", "description": "North Korean hackers are targeting Web3 and cryptocurrency businesses with new macOS malware written in the Nim programming language. The malware, tracked as NimDoor, employs advanced evasion techniques, including process injection and encrypted WebSocket (wss) communications\u2014an uncommon approach for macOS threats.", "modified": "2025-08-05T07:31:41.811000", "created": "2025-08-05T07:31:41.811000", "tags": [ "applescript", "launchagent", "googie llc", "x8664", "corekitagent", "april", "huntress", "json structure", "case", "sigint", "telegram", "macho", "terminal", "crypto", "rust", "crystal" ], "references": [ "https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 22, "FileHash-SHA256": 14, "domain": 4, "hostname": 1 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "300 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686a35c4bb3aad6ac67d910e", "name": "North Korean Hackers Deploy Nim-Based Malware in Web3 Attacks", "description": "North Korean hackers are targeting Web3 and cryptocurrency businesses with new macOS malware written in the Nim programming language. The malware, tracked as NimDoor, employs advanced evasion techniques, including process injection and encrypted WebSocket (wss) communications\u2014an uncommon approach for macOS threats.", "modified": "2025-07-06T08:48:19.437000", "created": "2025-07-06T08:37:24.373000", "tags": [ "applescript", "launchagent", "googie llc", "x8664", "corekitagent", "april", "huntress", "json structure", "case", "sigint", "telegram", "macho", "terminal", "crypto", "rust", "crystal" ], "references": [ "https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 22, "FileHash-SHA256": 1, "URL": 1, "domain": 4, "hostname": 4 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6867216859f68d8f7c07d2d0", "name": "NimDoor - Advanced macOS Malware Targeting Web3 and Cryptocurrency Ecosystems", "description": "", "modified": "2025-07-04T00:33:44.802000", "created": "2025-07-04T00:33:44.802000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 1, "FileHash-MD5": 1, "FileHash-SHA1": 20, "FileHash-SHA256": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "333 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6866933e5f70eacb6aba102a", "name": "Cyber Threat Advisory", "description": "NimDoor: DPRK's Nim-Based Malware Campaign Targets Web3 & Crypto", "modified": "2025-07-03T14:27:10.551000", "created": "2025-07-03T14:27:10.551000", "tags": [], "references": [ "Cyber Threat Advisory - NimDoor DPRK's Nim-Based Malware Campaign Targets Web3 & Crypto.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1, "domain": 4, "hostname": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "333 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686514c5545ac4beceeee6ff", "name": "macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware | SentinelOne", "description": "", "modified": "2025-07-02T11:15:17.732000", "created": "2025-07-02T11:15:17.732000", "tags": [ "applescript", "launchagent", "googie llc", "x8664", "corekitagent", "april", "huntress", "json structure", "case", "sigint", "telegram", "macho", "terminal", "crypto", "rust", "crystal" ], "references": [ "https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 22, "FileHash-SHA256": 1, "URL": 1, "domain": 4, "hostname": 4 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "334 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Cyber Threat Advisory - NimDoor DPRK's Nim-Based Malware Campaign Targets Web3 & Crypto.pdf", "Julypt1.pdf", "OCT.pdf", "https://securelist.ru/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/113883/", "https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware", "https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/", "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/", "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "related": { "alienvault": { "adversary": [ "Lazarus Group", "DPRK" ], "malware_families": [ "Cosmicdoor", "Zoomclutch", "Rootroy", "Nimdoor", "Sneakmain", "Sysphon", "Silentsiphon", "Teamsclutch", "Downtroy", "Realtimetroy" ], "industries": [ "Finance", "Technology" ] }, "other": { "adversary": [ "BlueNoroff", "Multiple", "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S" ], "malware_families": [ "Cosmicdoor", "Zoomclutch", "Rootroy", "Sneakmain", "Sysphon", "Silentsiphon", "Teamsclutch", "Downtroy", "Realtimetroy" ], "industries": [ "Finance", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69003b85c217870cc5794cc6", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "BlueNoroff, a financially motivated threat actor, has been conducting two sophisticated campaigns dubbed GhostCall and GhostHire. GhostCall targets macOS devices of tech executives and venture capitalists through fake Zoom-like meetings, while GhostHire targets Web3 developers through fake recruitment processes. Both campaigns utilize various malware chains, including ZoomClutch, DownTroy, CosmicDoor, RooTroy, and SilentSiphon. The attacks involve social engineering, AI-enhanced images, and multi-stage malware deployment across Windows, macOS, and Linux systems. BlueNoroff has expanded its focus beyond cryptocurrency theft to comprehensive data acquisition, enabling supply chain attacks and leveraging established trust relationships for broader impact.", "modified": "2025-10-28T09:30:13.914000", "created": "2025-10-28T03:41:57.869000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 386778, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6867a14ec736faf23ba172a2", "name": "macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware", "description": "DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism leveraging signal handlers and deploys AppleScripts as beacons and backdoors. The attack chain begins with social engineering via Telegram, leading to the execution of malicious scripts and binaries. The malware exfiltrates browser data, Keychain credentials, and Telegram user information. The use of Nim introduces new levels of complexity for analysts, blending complex behavior into binaries with less obvious control flow.", "modified": "2025-07-04T09:51:27.428000", "created": "2025-07-04T09:39:26.774000", "tags": [ "process injection", "macos", "nimdoor", "websocket", "applescript", "web3", "cryptocurrency" ], "references": [ "https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware" ], "public": 1, "adversary": "DPRK", "targeted_countries": [], "malware_families": [ { "id": "NimDoor", "display_name": "NimDoor", "target": null } ], "attack_ids": [ { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 22, "FileHash-SHA256": 1, "domain": 4, "hostname": 4 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 386775, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691473b72eee91d1a6b22b4f", "name": "BlueNoroff Group cryptoaffair: \"ghost\" investments and bogus job offers", "description": "The BlueNoroff Group, known by various aliases including APT38 and TA444, has been actively targeting blockchain developers and Web3 executives through its operational campaigns, notably SnatchCrypto. A significant part of this operation involves the GhostCall and GhostHire campaigns, which exploit social engineering tactics. The GhostCall campaign, operational since mid-2023, employs deceptive video conferencing to recruit victims. Attackers masquerade as venture capitalists via platforms like Telegram, using compromised accounts of legitimate entrepreneurs. They initiate contact with potential targets and arrange meetings through spoofed Zoom links or direct messages, utilizing disguised phishing URLs. The attackers leverage multi-stage execution chains; the infection typically begins with the DownTroy malware, which downloads various self-contained executables, including keyloggers and data stealers like CosmicDoor and RooTroy.", "modified": "2025-12-12T11:04:05.038000", "created": "2025-11-12T11:47:02.981000", "tags": [ "apple macos", "apt", "bluenoroff", "chatgpt", "github", "linux", "microsoft windows", "telegram", "windows", "applescript", "zoom", "cosmicdoor", "downtroy", "rootroy", "gillyinjector", "base64", "macos", "rust", "python", "swift", "powershell", "path", "macho", "sapphire", "downexec", "exodus", "target", "agent", "installer", "ditto", "effect", "install", "premium", "zero", "konni", "themida", "lsass", "exodus web3", "lazarus", "huntress", "nim", "c https", "googie llc", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate" ], "references": [ "https://securelist.ru/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/113883/" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "FileHash-MD5": 57, "FileHash-SHA1": 25, "FileHash-SHA256": 33, "domain": 22, "hostname": 23 }, "indicator_count": 188, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69099ae3319099e17ce0969f", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "", "modified": "2025-11-04T06:19:15.728000", "created": "2025-11-04T06:19:15.728000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6901bda4549c558a81dc00a5", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "209 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6902e567c252949d8c75e8c1", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "", "modified": "2025-10-30T04:11:19.757000", "created": "2025-10-30T04:11:19.757000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": "69003b85c217870cc5794cc6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "214 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6901bda4549c558a81dc00a5", "name": "IOC - Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "Primarily focused on financial gain since its appearance, BlueNoroff (aka. Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has adopted new infiltration strategies and malware sets over time, but it still targets blockchain developers, C-level executives, and managers within the Web3/blockchain industry as part of its SnatchCrypto operation. Earlier this year, we conducted research into two malicious campaigns by BlueNoroff under the SnatchCrypto operation, which we dubbed GhostCall and GhostHire.", "modified": "2025-10-29T07:09:24.634000", "created": "2025-10-29T07:09:24.634000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "215 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69010d8cbf528688e76b28a6", "name": "BlueNoroff Targets High Value Victims with New infiltration Methods", "description": "MSTeamsUpdate.sh, Safari update, and other updates are all part of the BBC's Newsround programme, which is broadcast live on BBC One from Monday, 2:00 BST.", "modified": "2025-10-28T18:39:19.476000", "created": "2025-10-28T18:38:04.399000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "216 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688990fa0d8382bd5f02d806", "name": "EbeeJuly2025 Pt1", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T03:04:16.203000", "created": "2025-07-30T03:26:50.115000", "tags": [], "references": [ "Julypt1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 131, "FileHash-SHA1": 144, "FileHash-SHA256": 232, "CIDR": 1, "CVE": 3, "domain": 150, "email": 9, "hostname": 37 }, "indicator_count": 746, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "276 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6891b35f032f4967edf62598", "name": "macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware", "description": "North Korean hackers are targeting Web3 and cryptocurrency businesses with new macOS malware written in the Nim programming language. The malware, tracked as NimDoor, employs advanced evasion techniques, including process injection and encrypted WebSocket (wss) communications\u2014an uncommon approach for macOS threats.", "modified": "2025-08-05T07:31:41.811000", "created": "2025-08-05T07:31:41.811000", "tags": [ "applescript", "launchagent", "googie llc", "x8664", "corekitagent", "april", "huntress", "json structure", "case", "sigint", "telegram", "macho", "terminal", "crypto", "rust", "crystal" ], "references": [ "https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 22, "FileHash-SHA256": 14, "domain": 4, "hostname": 1 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "300 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "writeup.live", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "writeup.live", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780360447.8747296 }