{ "type": "Domain", "indicator": "xtibh.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/xtibh.com", "alexa": "http://www.alexa.com/siteinfo/xtibh.com", "indicator": "xtibh.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4075578113, "indicator": "xtibh.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69a9e3f038f67d31461ec191", "name": "South American telecommunication providers targeted with three new malware implants", "description": "UAT-9244, a China-nexus advanced persistent threat actor, has been targeting critical telecommunications infrastructure in South America since 2024. The group employs three new malware implants: TernDoor, a Windows-based backdoor variant of CrowDoor; PeerTime, an ELF-based backdoor using BitTorrent protocol; and BruteEntry, a brute force scanner for SSH, Postgres, and Tomcat servers. UAT-9244 uses dynamic-link library side-loading, scheduled tasks, and registry modifications for persistence. The group is closely associated with FamousSparrow and Tropic Trooper, sharing similar tooling and tactics. Their infrastructure includes multiple command and control servers and operational relay boxes for scanning and brute-forcing activities.", "modified": "2026-04-04T20:21:48.976000", "created": "2026-03-05T20:13:36.305000", "tags": [ "crowdoor", "telecommunications", "apt", "bittorrent", "china-nexus", "terndoor", "south america", "peertime", "bruteentry" ], "references": [ "https://blog.talosintelligence.com/uat-9244/" ], "public": 1, "adversary": "UAT-9244", "targeted_countries": [], "malware_families": [ { "id": "TernDoor", "display_name": "TernDoor", "target": null }, { "id": "PeerTime", "display_name": "PeerTime", "target": null }, { "id": "BruteEntry", "display_name": "BruteEntry", "target": null }, { "id": "CrowDoor", "display_name": "CrowDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 13, "FileHash-SHA256": 44, "domain": 3 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 386597, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aed6464de7a8689b02a06a", "name": "UAT-9244: Chinese APT Targeting South American Telecoms with TernDoor, PeerTime, BruteEntry", "description": "China-nexus threat actor UAT-9244 targeting South American telecommunications providers with three custom malware families. TernDoor (Windows backdoor via DLL side-loading), PeerTime/angrypeer (Linux P2P backdoor using BitTorrent C2), and BruteEntry (Golang brute-force scanner for ORB proxying). Overlaps with FamousSparrow and possibly Salt Typhoon. Active since at least November 2024. Source: Cisco Talos, March 2026.", "modified": "2026-04-08T14:08:10.067000", "created": "2026-03-09T14:16:38.709000", "tags": [ "UAT-9244", "TernDoor", "PeerTime", "BruteEntry", "China", "APT", "telecom", "FamousSparrow", "Salt Typhoon", "DLL side-loading", "supply chain" ], "references": [ "https://blog.talosintelligence.com/uat-9244/", "https://thehackernews.com/2026/03/china-linked-hackers-use-terndoor.html" ], "public": 1, "adversary": "UAT-9244", "targeted_countries": [ "Brazil", "Argentina", "Chile", "Colombia", "Peru" ], "malware_families": [], "attack_ids": [ { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "FileHash-SHA256": 42 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ac69331b0d758dcad5860b", "name": "China-Nexus Hackers attacks Telecommunication Providers with New Malware", "description": "A China linked threat actor tracked as UAT \u2013 9244 has been actively targeting telecommunication providers including Windows and Linux based endpoints and edge devices. Three new malware implants were identified in this campaign named as TernDoor, PeerTime and BruteEntry.", "modified": "2026-04-06T18:11:12.907000", "created": "2026-03-07T18:06:43.210000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 35, "FileHash-SHA1": 35, "FileHash-SHA256": 43, "URL": 3, "domain": 3 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acdc756cedee9863cd7615", "name": "South American telecommunication providers targeted with three new malware implants", "description": "", "modified": "2026-04-04T20:21:48.976000", "created": "2026-03-08T02:18:29.813000", "tags": [ "crowdoor", "telecommunications", "apt", "bittorrent", "china-nexus", "terndoor", "south america", "peertime", "bruteentry" ], "references": [ "https://blog.talosintelligence.com/uat-9244/" ], "public": 1, "adversary": "UAT-9244", "targeted_countries": [], "malware_families": [ { "id": "TernDoor", "display_name": "TernDoor", "target": null }, { "id": "PeerTime", "display_name": "PeerTime", "target": null }, { "id": "BruteEntry", "display_name": "BruteEntry", "target": null }, { "id": "CrowDoor", "display_name": "CrowDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": "69a9e3f038f67d31461ec191", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 13, "FileHash-SHA256": 44, "domain": 3 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684a1371679552059c6f93a2", "name": "URLHaus data - 11-06-2025", "description": "", "modified": "2025-07-11T23:01:11.967000", "created": "2025-06-11T23:38:25.042000", "tags": [ "botnetdomain", "censys", "elf", "mirai", "ua-wget", "sh", "gafgyt", "RemcosRAT", "AveMariaRAT", "xworm", "c2-monitor-auto", "dropped-by-amadey", "rev-base64-loader", "VIPKeylogger", "exe", "ftp", "geofenced", "GorillaBotnet", "GorillaStress", ".exe", "AsyncRAT", "connectwise", "rustystealer", "banker", "latam", "trojan", "bash", "wget", "ps1", "hta", "CobaltStrike", "lnk", "xml-opendir", "backdoor", "sshdkit", "hajime", "miner", "gz", "ua-curl", "macho", "CoinMiner", "SMB", "chmod", "Metasploit", "vbscript", "python", "yaml", "Smoke Loader", "Formbook", "DarkTortilla", "a310Logger", "Mozi" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 730, "hostname": 41, "domain": 11 }, "indicator_count": 782, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.talosintelligence.com/uat-9244/", "https://thehackernews.com/2026/03/china-linked-hackers-use-terndoor.html", "https://urlhaus.abuse.ch/browse/" ], "related": { "alienvault": { "adversary": [ "UAT-9244" ], "malware_families": [ "Bruteentry", "Peertime", "Crowdoor", "Terndoor" ], "industries": [ "Telecommunications" ] }, "other": { "adversary": [ "UAT-9244" ], "malware_families": [ "Bruteentry", "Peertime", "Crowdoor", "Terndoor" ], "industries": [ "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69a9e3f038f67d31461ec191", "name": "South American telecommunication providers targeted with three new malware implants", "description": "UAT-9244, a China-nexus advanced persistent threat actor, has been targeting critical telecommunications infrastructure in South America since 2024. The group employs three new malware implants: TernDoor, a Windows-based backdoor variant of CrowDoor; PeerTime, an ELF-based backdoor using BitTorrent protocol; and BruteEntry, a brute force scanner for SSH, Postgres, and Tomcat servers. UAT-9244 uses dynamic-link library side-loading, scheduled tasks, and registry modifications for persistence. The group is closely associated with FamousSparrow and Tropic Trooper, sharing similar tooling and tactics. Their infrastructure includes multiple command and control servers and operational relay boxes for scanning and brute-forcing activities.", "modified": "2026-04-04T20:21:48.976000", "created": "2026-03-05T20:13:36.305000", "tags": [ "crowdoor", "telecommunications", "apt", "bittorrent", "china-nexus", "terndoor", "south america", "peertime", "bruteentry" ], "references": [ "https://blog.talosintelligence.com/uat-9244/" ], "public": 1, "adversary": "UAT-9244", "targeted_countries": [], "malware_families": [ { "id": "TernDoor", "display_name": "TernDoor", "target": null }, { "id": "PeerTime", "display_name": "PeerTime", "target": null }, { "id": "BruteEntry", "display_name": "BruteEntry", "target": null }, { "id": "CrowDoor", "display_name": "CrowDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 13, "FileHash-SHA256": 44, "domain": 3 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 386597, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aed6464de7a8689b02a06a", "name": "UAT-9244: Chinese APT Targeting South American Telecoms with TernDoor, PeerTime, BruteEntry", "description": "China-nexus threat actor UAT-9244 targeting South American telecommunications providers with three custom malware families. TernDoor (Windows backdoor via DLL side-loading), PeerTime/angrypeer (Linux P2P backdoor using BitTorrent C2), and BruteEntry (Golang brute-force scanner for ORB proxying). Overlaps with FamousSparrow and possibly Salt Typhoon. Active since at least November 2024. Source: Cisco Talos, March 2026.", "modified": "2026-04-08T14:08:10.067000", "created": "2026-03-09T14:16:38.709000", "tags": [ "UAT-9244", "TernDoor", "PeerTime", "BruteEntry", "China", "APT", "telecom", "FamousSparrow", "Salt Typhoon", "DLL side-loading", "supply chain" ], "references": [ "https://blog.talosintelligence.com/uat-9244/", "https://thehackernews.com/2026/03/china-linked-hackers-use-terndoor.html" ], "public": 1, "adversary": "UAT-9244", "targeted_countries": [ "Brazil", "Argentina", "Chile", "Colombia", "Peru" ], "malware_families": [], "attack_ids": [ { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "FileHash-SHA256": 42 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ac69331b0d758dcad5860b", "name": "China-Nexus Hackers attacks Telecommunication Providers with New Malware", "description": "A China linked threat actor tracked as UAT \u2013 9244 has been actively targeting telecommunication providers including Windows and Linux based endpoints and edge devices. Three new malware implants were identified in this campaign named as TernDoor, PeerTime and BruteEntry.", "modified": "2026-04-06T18:11:12.907000", "created": "2026-03-07T18:06:43.210000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 35, "FileHash-SHA1": 35, "FileHash-SHA256": 43, "URL": 3, "domain": 3 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acdc756cedee9863cd7615", "name": "South American telecommunication providers targeted with three new malware implants", "description": "", "modified": "2026-04-04T20:21:48.976000", "created": "2026-03-08T02:18:29.813000", "tags": [ "crowdoor", "telecommunications", "apt", "bittorrent", "china-nexus", "terndoor", "south america", "peertime", "bruteentry" ], "references": [ "https://blog.talosintelligence.com/uat-9244/" ], "public": 1, "adversary": "UAT-9244", "targeted_countries": [], "malware_families": [ { "id": "TernDoor", "display_name": "TernDoor", "target": null }, { "id": "PeerTime", "display_name": "PeerTime", "target": null }, { "id": "BruteEntry", "display_name": "BruteEntry", "target": null }, { "id": "CrowDoor", "display_name": "CrowDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": "69a9e3f038f67d31461ec191", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 13, "FileHash-SHA256": 44, "domain": 3 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684a1371679552059c6f93a2", "name": "URLHaus data - 11-06-2025", "description": "", "modified": "2025-07-11T23:01:11.967000", "created": "2025-06-11T23:38:25.042000", "tags": [ "botnetdomain", "censys", "elf", "mirai", "ua-wget", "sh", "gafgyt", "RemcosRAT", "AveMariaRAT", "xworm", "c2-monitor-auto", "dropped-by-amadey", "rev-base64-loader", "VIPKeylogger", "exe", "ftp", "geofenced", "GorillaBotnet", "GorillaStress", ".exe", "AsyncRAT", "connectwise", "rustystealer", "banker", "latam", "trojan", "bash", "wget", "ps1", "hta", "CobaltStrike", "lnk", "xml-opendir", "backdoor", "sshdkit", "hajime", "miner", "gz", "ua-curl", "macho", "CoinMiner", "SMB", "chmod", "Metasploit", "vbscript", "python", "yaml", "Smoke Loader", "Formbook", "DarkTortilla", "a310Logger", "Mozi" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 730, "hostname": 41, "domain": 11 }, "indicator_count": 782, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "xtibh.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "xtibh.com", "found": true, "verdict": "malicious", "url_count": 8, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://xtibh.com/2/amd64_1", "status": "offline", "threat": "malware_download", "date_added": "2025-06-11", "tags": [ "bash", "elf", "mirai", "sh", "ua-wget" ] }, { "url": "http://xtibh.com/2/ppc64le_1", "status": "offline", "threat": "malware_download", "date_added": "2025-06-11", "tags": [ "bash", "elf", "mirai", "sh", "ua-wget" ] }, { "url": "http://xtibh.com/2/ppc64_1", "status": "offline", "threat": "malware_download", "date_added": "2025-06-11", "tags": [ "bash", "elf", "mirai", "sh", "ua-wget" ] }, { "url": "http://xtibh.com/2/i686_1", "status": "offline", "threat": "malware_download", "date_added": "2025-06-11", "tags": [ "bash", "elf", "mirai", "sh", "ua-wget" ] }, { "url": "http://xtibh.com/2/mipsel_1", "status": "offline", "threat": "malware_download", "date_added": "2025-06-11", "tags": [ "bash", "elf", "mirai", "sh", "ua-wget" ] }, { "url": "http://xtibh.com/2/arm926t_1", "status": "offline", "threat": "malware_download", "date_added": "2025-06-11", "tags": [ "bash", "elf", "mirai", "sh", "ua-wget" ] }, { "url": "http://xtibh.com/2/mips_1", "status": "offline", "threat": "malware_download", "date_added": "2025-06-11", "tags": [ "bash", "elf", "mirai", "sh", "ua-wget" ] }, { "url": "http://xtibh.com/2/aarch64_1", "status": "offline", "threat": "malware_download", "date_added": "2025-06-11", "tags": [ "bash", "elf", "mirai", "sh", "ua-wget" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780278057.0452173 }