{ "type": "Domain", "indicator": "yourboxspring.nl", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/yourboxspring.nl", "alexa": "http://www.alexa.com/siteinfo/yourboxspring.nl", "indicator": "yourboxspring.nl", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4146268303, "indicator": "yourboxspring.nl", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "690cadc6a4a3c3370cc2e697", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-06T14:16:38.980000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 386947, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69660e4e2abebabebf02224c", "name": "ThreatFix_URL", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:20:12.942000", "tags": [ "feed", "window", "rah623925" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2280, "FileHash-MD5": 22, "domain": 618, "hostname": 520 }, "indicator_count": 3440, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690f3c5dc4e3987d08cb8055", "name": "GootLoader New Evasion Methods Target Search Driven Workflows", "description": "GootLoader, operated by the threat group UNC2565 (also known as Storm-0494), has resurfaced with advanced techniques to exploit search-driven workflows. This malware loader is central to a sophisticated Access-as-a-Service platform that facilitates initial access for ransomware affiliates, including Vanilla Tempest, and leverages SEO poisoning to attract users searching for business document templates. A notable attack technique involves the use of a dual-personality ZIP archive. This archive is engineered to deceive security sandboxes by appearing harmless while extracting a malicious .js file for human users. Upon execution, usually triggered by the user double-clicking the JScript file, the payload launches through Windows Script Host, specifically WScript.exe or CScript.exe, which in turn invokes PowerShell to retrieve subsequent malicious payloads.", "modified": "2025-12-08T12:03:02.393000", "created": "2025-11-08T12:49:33.537000", "tags": [ "phishing", "malware", "zip", "initial access loader", "gootloader", "ip archive evasion", "powershell", "unc2565", "wordpress", "windows script", "gootbot", "cobalt strike", "startup", "storm0494", "gootkit", "loader", "rhysida", "blackcat", "zeppelin", "score", "python", "global", "execution", "evolution", "gootloader jscript", "hostnames", "ipv4", "hashes", "sha256" ], "references": [ "https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader JScript", "display_name": "GootLoader JScript", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Legal", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690d5f22270c494c68bcf199", "name": "IOC - Gootloader Returns: What Goodies Did They Bring?", "description": "", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-07T02:53:22.181000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "690cadc6a4a3c3370cc2e697", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690d7cf30b032ca8557dfec0", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-07T05:00:35.456000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "690cadc6a4a3c3370cc2e697", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690ca8f2a871ffdf54c2795f", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "Gootloader, a JavaScript-based malware loader, has resurfaced with renewed activity after a brief hiatus. This malware is primarily used by the threat actor known as Storm-0494 to gain initial access, often leveraging SEO poisoning to attract users to compromised sites. Gootloader employs heavily obfuscated JavaScript to deliver additional payloads and is known for facilitating infections that lead to the deployment of various ransomware families, such as Rhysida, BlackCat, Zeppelin, and Quantum Locker through another actor, Vanilla Tempest.\n\nOne of the novel techniques used in recent Gootloader operations includes the incorporation of custom WOFF2 fonts, which employ glyph substitution to obscure filenames. The loader exploits WordPress comment submission endpoints to deliver XOR-encrypted ZIP files containing payloads, with a unique decryption key hardcoded in the site\u2019s source code.", "modified": "2025-12-06T13:02:41.371000", "created": "2025-11-06T13:56:02.390000", "tags": [ "gootloader", "javascript file", "supper backdoor", "c2 server", "vanilla tempest", "powershell", "case", "sha256", "javascript", "windows", "path", "blackcat", "zeppelin", "download", "back", "supper socks5", "oysterloader", "section).the", "supper", "huntress" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "OysterLoader", "display_name": "OysterLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation", "https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/" ], "related": { "alienvault": { "adversary": [ "Storm-0494" ], "malware_families": [ "Alphv", "Zeppelin", "Rhysida", "Quantum locker", "Supper socks5 backdoor", "Blackcat - s1068", "Gootloader - s1138", "Noberus" ], "industries": [] }, "other": { "adversary": [ "Storm-0494" ], "malware_families": [ "Alphv", "Gootloader jscript", "Cobalt strike", "Zeppelin", "Oysterloader", "Rhysida", "Gootloader", "Quantum locker", "Supper socks5 backdoor", "Blackcat - s1068", "Gootloader - s1138", "Noberus" ], "industries": [ "Financial", "Legal" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "690cadc6a4a3c3370cc2e697", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-06T14:16:38.980000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 386947, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69660e4e2abebabebf02224c", "name": "ThreatFix_URL", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:20:12.942000", "tags": [ "feed", "window", "rah623925" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2280, "FileHash-MD5": 22, "domain": 618, "hostname": 520 }, "indicator_count": 3440, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690f3c5dc4e3987d08cb8055", "name": "GootLoader New Evasion Methods Target Search Driven Workflows", "description": "GootLoader, operated by the threat group UNC2565 (also known as Storm-0494), has resurfaced with advanced techniques to exploit search-driven workflows. This malware loader is central to a sophisticated Access-as-a-Service platform that facilitates initial access for ransomware affiliates, including Vanilla Tempest, and leverages SEO poisoning to attract users searching for business document templates. A notable attack technique involves the use of a dual-personality ZIP archive. This archive is engineered to deceive security sandboxes by appearing harmless while extracting a malicious .js file for human users. Upon execution, usually triggered by the user double-clicking the JScript file, the payload launches through Windows Script Host, specifically WScript.exe or CScript.exe, which in turn invokes PowerShell to retrieve subsequent malicious payloads.", "modified": "2025-12-08T12:03:02.393000", "created": "2025-11-08T12:49:33.537000", "tags": [ "phishing", "malware", "zip", "initial access loader", "gootloader", "ip archive evasion", "powershell", "unc2565", "wordpress", "windows script", "gootbot", "cobalt strike", "startup", "storm0494", "gootkit", "loader", "rhysida", "blackcat", "zeppelin", "score", "python", "global", "execution", "evolution", "gootloader jscript", "hostnames", "ipv4", "hashes", "sha256" ], "references": [ "https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader JScript", "display_name": "GootLoader JScript", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Legal", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690d5f22270c494c68bcf199", "name": "IOC - Gootloader Returns: What Goodies Did They Bring?", "description": "", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-07T02:53:22.181000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "690cadc6a4a3c3370cc2e697", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690d7cf30b032ca8557dfec0", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-07T05:00:35.456000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "690cadc6a4a3c3370cc2e697", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690ca8f2a871ffdf54c2795f", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "Gootloader, a JavaScript-based malware loader, has resurfaced with renewed activity after a brief hiatus. This malware is primarily used by the threat actor known as Storm-0494 to gain initial access, often leveraging SEO poisoning to attract users to compromised sites. Gootloader employs heavily obfuscated JavaScript to deliver additional payloads and is known for facilitating infections that lead to the deployment of various ransomware families, such as Rhysida, BlackCat, Zeppelin, and Quantum Locker through another actor, Vanilla Tempest.\n\nOne of the novel techniques used in recent Gootloader operations includes the incorporation of custom WOFF2 fonts, which employ glyph substitution to obscure filenames. The loader exploits WordPress comment submission endpoints to deliver XOR-encrypted ZIP files containing payloads, with a unique decryption key hardcoded in the site\u2019s source code.", "modified": "2025-12-06T13:02:41.371000", "created": "2025-11-06T13:56:02.390000", "tags": [ "gootloader", "javascript file", "supper backdoor", "c2 server", "vanilla tempest", "powershell", "case", "sha256", "javascript", "windows", "path", "blackcat", "zeppelin", "download", "back", "supper socks5", "oysterloader", "section).the", "supper", "huntress" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "OysterLoader", "display_name": "OysterLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "yourboxspring.nl", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "yourboxspring.nl", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780424517.3679173 }