{ "type": "Domain", "indicator": "zerophone.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zerophone.cc", "alexa": "http://www.alexa.com/siteinfo/zerophone.cc", "indicator": "zerophone.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2617385508, "indicator": "zerophone.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69d12848319a0b693dfbd1cd", "name": "AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort", "description": "AVrecon malware has been identified as a significant threat targeting routers and Internet of Things (IoT) devices worldwide, with operations affecting approximately 163 countries, including the United States. This malware allows threat actors, particularly associated with the SocksEscort service, to compromise routers, install AVrecon, and subsequently sell access to these devices as residential proxies. The service is reported to have compromised around 369,000 devices since its inception in 2020. The FBI, in collaboration with various global law enforcement agencies, has recently initiated actions against SocksEscort, leading to its takedown.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-04T15:03:36.128000", "tags": [ "avrecon malware", "md5 hash", "c2 domains", "c2 uri" ], "references": [ "https://fbi.gov/file-repository/cyber-alerts/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AVrecon", "display_name": "AVrecon", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1601.001", "name": "Patch System Image", "display_name": "T1601.001 - Patch System Image" } ], "industries": [ "Finance", "E-commerce", "IoT" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "domain": 23 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb3bb2bc2687dfec2ea41c", "name": "AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort", "description": "AVrecon Malware MD5 Hashes are described as \"probable\" and \"unreal\" by some of the people involved in developing the software for the use of malware.", "modified": "2026-04-17T23:31:23.722000", "created": "2026-03-18T23:56:28.895000", "tags": [ "md5 hash", "avrecon loader", "avrecon malware", "additional md5", "hashes", "c2 ips", "c2 domains" ], "references": [ "avrecon_iocs.txt" ], "public": 1, "adversary": "SocksEscort", "targeted_countries": [], "malware_families": [ { "id": "AVrecon", "display_name": "AVrecon", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" } ], "industries": [ "Telecommunications", "iot devices", "small office", "home office", "Enterprises indirectly abused through proxy-enabled fraud" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Rokalien77", "id": "207164", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "domain": 23 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676aa8ad19cff1466219a8d4", "name": "EraNet", "description": "", "modified": "2024-12-24T12:27:25.946000", "created": "2024-12-24T12:27:25.946000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 995, "email": 1 }, "indicator_count": 996, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "522 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d424aab2f3c46cbc8d2722", "name": "URLHaus data - 09-08-2023", "description": "", "modified": "2023-09-08T23:01:45.752000", "created": "2023-08-09T23:43:38.173000", "tags": [ "hajime", "elf", "Mozi", "AVrecon", "botnet", "c2", "mirai", "32-bit", "mips", "arm", "zip", "exe", "njRAT", "remcos", "32", "sparc", "AgentTesla", "opendir", "ascii", "vbs", "rat", "RemcosRAT", "Encoded", "aggah", "hagga", "js", "Loki", "Formbook", "NetSupport", "url", "hta", "lnk", "Cobalt strike", "dll", "Stealc", "SocGholish", "dcrat", "x86-32", "Parallax", "ParallaxRAT", "gregbad.duckdns.org", "GuLoader", "discord", "grabushka", "infostealer", "Tsunami", "encrypted", "Amadey", "Ousaban", "spy", "gafgyt", "Arechclient2", "dropped-by-amadey", "SystemBC", "RTF", "CobaltStrike", "pwd:maritasbeta", "pwd:tatsugame", "dropped-by-PrivateLoader", "RedLine", "CoinMiner", "dropped-by-SmokeLoader", "LummaStealer", "shellscript", "64", "bashlite", "intel" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 422, "domain": 23, "hostname": 10 }, "indicator_count": 455, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "995 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c31ab64d256fe247b37b5a", "name": "Malware Proxy Service \u201cSocksEscort\u2019\u2019", "description": "", "modified": "2023-08-27T01:00:47.759000", "created": "2023-07-28T01:32:38.187000", "tags": [ "macho", "firefox", "launcher", "pearland", "chainbreaker", "evolion", "brawl", "dawn", "land launcher", "pearl land" ], "references": [ "July 28th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #2911 - Malware Proxy Service \u201cSocksEscort\u2019\u2019.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 39, "domain": 3 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b1dc79f932d559cad14798", "name": "URLHaus data - 14-07-2023", "description": "", "modified": "2023-08-13T23:04:07.863000", "created": "2023-07-14T23:38:33.371000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "32", "sparc", "hajime", "1234", "Password-protected", "zip", "6792", "rar", "dropped-by-PrivateLoader", "encrypted", "RedLine", "RedLineStealer", "soft2023", "ascii", "powershell", "PowerShellMeterpreterReverseTCPx64", "exe", "dropped-by-SmokeLoader", "Amadey", "ps", "xworm", "PrivateLoader", "Lumma", "cnc", "Loki", "IcedID", "dll", "Stealc", "Phobos", "AgentTesla", "doc", "geofenced", "ITA", "AsyncRAT", "GuLoader", "Smoke Loader", "opendir", "Formbook", "hta", "SystemBC", "RecordBreaker", "2023", "5917", "discord", "infostealer", "shellscript", "dropped-by-amadey", "VenomLMK", "VenomLNK", "AveMariaRAT" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 633, "domain": 29, "hostname": 6 }, "indicator_count": 668, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1021 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/browse/", "avrecon_iocs.txt", "https://fbi.gov/file-repository/cyber-alerts/", "July 28th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #2911 - Malware Proxy Service \u201cSocksEscort\u2019\u2019.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "SocksEscort" ], "malware_families": [ "Avrecon" ], "industries": [ "Enterprises indirectly abused through proxy-enabled fraud", "Iot", "Telecommunications", "Iot devices", "Finance", "Home office", "Small office", "E-commerce" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69d12848319a0b693dfbd1cd", "name": "AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort", "description": "AVrecon malware has been identified as a significant threat targeting routers and Internet of Things (IoT) devices worldwide, with operations affecting approximately 163 countries, including the United States. This malware allows threat actors, particularly associated with the SocksEscort service, to compromise routers, install AVrecon, and subsequently sell access to these devices as residential proxies. The service is reported to have compromised around 369,000 devices since its inception in 2020. The FBI, in collaboration with various global law enforcement agencies, has recently initiated actions against SocksEscort, leading to its takedown.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-04T15:03:36.128000", "tags": [ "avrecon malware", "md5 hash", "c2 domains", "c2 uri" ], "references": [ "https://fbi.gov/file-repository/cyber-alerts/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AVrecon", "display_name": "AVrecon", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1601.001", "name": "Patch System Image", "display_name": "T1601.001 - Patch System Image" } ], "industries": [ "Finance", "E-commerce", "IoT" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "domain": 23 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb3bb2bc2687dfec2ea41c", "name": "AVrecon Malware-Infected Routers Exploited as Residential Proxies by SocksEscort", "description": "AVrecon Malware MD5 Hashes are described as \"probable\" and \"unreal\" by some of the people involved in developing the software for the use of malware.", "modified": "2026-04-17T23:31:23.722000", "created": "2026-03-18T23:56:28.895000", "tags": [ "md5 hash", "avrecon loader", "avrecon malware", "additional md5", "hashes", "c2 ips", "c2 domains" ], "references": [ "avrecon_iocs.txt" ], "public": 1, "adversary": "SocksEscort", "targeted_countries": [], "malware_families": [ { "id": "AVrecon", "display_name": "AVrecon", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" } ], "industries": [ "Telecommunications", "iot devices", "small office", "home office", "Enterprises indirectly abused through proxy-enabled fraud" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Rokalien77", "id": "207164", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "domain": 23 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676aa8ad19cff1466219a8d4", "name": "EraNet", "description": "", "modified": "2024-12-24T12:27:25.946000", "created": "2024-12-24T12:27:25.946000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 995, "email": 1 }, "indicator_count": 996, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "522 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d424aab2f3c46cbc8d2722", "name": "URLHaus data - 09-08-2023", "description": "", "modified": "2023-09-08T23:01:45.752000", "created": "2023-08-09T23:43:38.173000", "tags": [ "hajime", "elf", "Mozi", "AVrecon", "botnet", "c2", "mirai", "32-bit", "mips", "arm", "zip", "exe", "njRAT", "remcos", "32", "sparc", "AgentTesla", "opendir", "ascii", "vbs", "rat", "RemcosRAT", "Encoded", "aggah", "hagga", "js", "Loki", "Formbook", "NetSupport", "url", "hta", "lnk", "Cobalt strike", "dll", "Stealc", "SocGholish", "dcrat", "x86-32", "Parallax", "ParallaxRAT", "gregbad.duckdns.org", "GuLoader", "discord", "grabushka", "infostealer", "Tsunami", "encrypted", "Amadey", "Ousaban", "spy", "gafgyt", "Arechclient2", "dropped-by-amadey", "SystemBC", "RTF", "CobaltStrike", "pwd:maritasbeta", "pwd:tatsugame", "dropped-by-PrivateLoader", "RedLine", "CoinMiner", "dropped-by-SmokeLoader", "LummaStealer", "shellscript", "64", "bashlite", "intel" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 422, "domain": 23, "hostname": 10 }, "indicator_count": 455, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "995 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c31ab64d256fe247b37b5a", "name": "Malware Proxy Service \u201cSocksEscort\u2019\u2019", "description": "", "modified": "2023-08-27T01:00:47.759000", "created": "2023-07-28T01:32:38.187000", "tags": [ "macho", "firefox", "launcher", "pearland", "chainbreaker", "evolion", "brawl", "dawn", "land launcher", "pearl land" ], "references": [ "July 28th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #2911 - Malware Proxy Service \u201cSocksEscort\u2019\u2019.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 39, "domain": 3 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b1dc79f932d559cad14798", "name": "URLHaus data - 14-07-2023", "description": "", "modified": "2023-08-13T23:04:07.863000", "created": "2023-07-14T23:38:33.371000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "32", "sparc", "hajime", "1234", "Password-protected", "zip", "6792", "rar", "dropped-by-PrivateLoader", "encrypted", "RedLine", "RedLineStealer", "soft2023", "ascii", "powershell", "PowerShellMeterpreterReverseTCPx64", "exe", "dropped-by-SmokeLoader", "Amadey", "ps", "xworm", "PrivateLoader", "Lumma", "cnc", "Loki", "IcedID", "dll", "Stealc", "Phobos", "AgentTesla", "doc", "geofenced", "ITA", "AsyncRAT", "GuLoader", "Smoke Loader", "opendir", "Formbook", "hta", "SystemBC", "RecordBreaker", "2023", "5917", "discord", "infostealer", "shellscript", "dropped-by-amadey", "VenomLMK", "VenomLNK", "AveMariaRAT" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 633, "domain": 29, "hostname": 6 }, "indicator_count": 668, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1021 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zerophone.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zerophone.cc", "found": true, "verdict": "malicious", "url_count": 3, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://zerophone.cc/lumi/fmw.php", "status": "offline", "threat": "malware_download", "date_added": "2023-08-09", "tags": [ "AVrecon", "botnet", "c2" ] }, { "url": "http://zerophone.cc/", "status": "offline", "threat": "malware_download", "date_added": "2023-07-14", "tags": [ "cnc" ] }, { "url": "http://zerophone.cc/1", "status": "offline", "threat": "malware_download", "date_added": "2020-08-15", "tags": [ "ddos", "elf", "mirai" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780211771.5969093 }