{ "type": "Domain", "indicator": "zhgift.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zhgift.com", "alexa": "http://www.alexa.com/siteinfo/zhgift.com", "indicator": "zhgift.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4025183362, "indicator": "zhgift.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6780a344bb58bb0f16d99226", "name": "Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure", "description": "A phishing attack targeting a Cyberhaven employee led to the compromise of their Google Chrome extension. The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connections to a broader campaign targeting Facebook advertising accounts. A TLS certificate linked previously reported infrastructure to additional connections, suggesting a long-running operation. The infrastructure, primarily hosted on The Constant Company network, showed consistent domain patterns mimicking known organizations and extensions dating back to early 2024. While similarities exist with groups like Savvy Seahorse, further analysis is needed to establish definitive links.", "modified": "2025-01-10T08:35:58.191000", "created": "2025-01-10T04:34:12.807000", "tags": [ "chrome extension", "phishing", "certificate rotation", "domain spoofing" ], "references": [ "https://hunt.io/blog/cyberhaven-extension-compromise-tls-certificate-links-infrastructure" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France", "Germany", "Singapore" ], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 44, "hostname": 21 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386501, "modified_text": "505 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68720cfb1b4cf43a6804f055", "name": "Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild.", "description": "CVE-2025-47812 is a critical vulnerability identified in the Wing FTP Server prior to version 7.4.4, affecting multiple platforms, including Windows, Linux, and macOS. The vulnerability arises from improper handling of null bytes in the username input during the authentication process, specifically through the loginok.html endpoint. By exploiting this flaw, attackers can perform Lua code injection, which may lead to remote code execution with root or SYSTEM-level privileges. The attack vector begins when an adversary crafts a username input that includes a null byte (%00), allowing them to disrupt the expected string processing of the username. Following the null byte, they append characters that are interpreted as Lua code, which manipulates the session object files that typically store user information like the current directory and IP address. This payload ends with a comment to preserve the syntax, effectively enabling the injection of malicious Lua commands.", "modified": "2025-08-11T07:03:36.795000", "created": "2025-07-12T07:21:31.172000", "tags": [ "wing ftp", "currentpath", "powershell", "june", "python", "password", "sha256", "bumbling", "webhook site", "beacon trojan" ], "references": [ "https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 26, "URL": 103, "hostname": 33, "domain": 40 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hunt.io/blog/cyberhaven-extension-compromise-tls-certificate-links-infrastructure", "https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6780a344bb58bb0f16d99226", "name": "Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure", "description": "A phishing attack targeting a Cyberhaven employee led to the compromise of their Google Chrome extension. The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connections to a broader campaign targeting Facebook advertising accounts. A TLS certificate linked previously reported infrastructure to additional connections, suggesting a long-running operation. The infrastructure, primarily hosted on The Constant Company network, showed consistent domain patterns mimicking known organizations and extensions dating back to early 2024. While similarities exist with groups like Savvy Seahorse, further analysis is needed to establish definitive links.", "modified": "2025-01-10T08:35:58.191000", "created": "2025-01-10T04:34:12.807000", "tags": [ "chrome extension", "phishing", "certificate rotation", "domain spoofing" ], "references": [ "https://hunt.io/blog/cyberhaven-extension-compromise-tls-certificate-links-infrastructure" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France", "Germany", "Singapore" ], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 44, "hostname": 21 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386501, "modified_text": "505 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68720cfb1b4cf43a6804f055", "name": "Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild.", "description": "CVE-2025-47812 is a critical vulnerability identified in the Wing FTP Server prior to version 7.4.4, affecting multiple platforms, including Windows, Linux, and macOS. The vulnerability arises from improper handling of null bytes in the username input during the authentication process, specifically through the loginok.html endpoint. By exploiting this flaw, attackers can perform Lua code injection, which may lead to remote code execution with root or SYSTEM-level privileges. The attack vector begins when an adversary crafts a username input that includes a null byte (%00), allowing them to disrupt the expected string processing of the username. Following the null byte, they append characters that are interpreted as Lua code, which manipulates the session object files that typically store user information like the current directory and IP address. This payload ends with a comment to preserve the syntax, effectively enabling the injection of malicious Lua commands.", "modified": "2025-08-11T07:03:36.795000", "created": "2025-07-12T07:21:31.172000", "tags": [ "wing ftp", "currentpath", "powershell", "june", "python", "password", "sha256", "bumbling", "webhook site", "beacon trojan" ], "references": [ "https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 26, "URL": 103, "hostname": 33, "domain": 40 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zhgift.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zhgift.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780215845.2265165 }