{ "type": "Domain", "indicator": "ziuspsuan.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ziuspsuan.com", "alexa": "http://www.alexa.com/siteinfo/ziuspsuan.com", "indicator": "ziuspsuan.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3997528641, "indicator": "ziuspsuan.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6797e7cf00d753298a379df8", "name": "Hidden in Plain Sight: PDF Mishing Attack", "description": "A sophisticated phishing campaign targeting mobile devices has been discovered, impersonating the United States Postal Service (USPS). The campaign uses a novel obfuscation technique in PDF files to hide malicious links, making detection difficult for many security solutions. The attack exploits users' trust in PDF documents and leverages advanced social engineering tactics. The malicious PDFs contain hidden, clickable elements that redirect users to phishing pages designed to steal personal and financial information. The campaign's infrastructure includes over 20 malicious PDF files, 630 phishing pages, and potential impact across 50+ countries. The attackers use multilingual support and encryption techniques to expand their reach and protect their operations.", "modified": "2025-01-27T20:24:07.069000", "created": "2025-01-27T20:08:47.924000", "tags": [ "phishing", "pdf", "credential theft" ], "references": [ "https://www.zimperium.com/blog/hidden-in-plain-sight-pdf-mishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 25, "domain": 129, "hostname": 500 }, "indicator_count": 656, "is_author": false, "is_subscribing": null, "subscriber_count": 387104, "modified_text": "491 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1f349e067e7a2853518fe", "name": "Hidden in Plain Sight: PDF Mishing Attack", "description": "As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team has been actively tracking a phishing campaign impersonating the United States Postal Service (USPS) which is exclusively targeting mobile devices. This campaign employs sophisticated social engineering tactics and a never-before-seen means of obfuscation to deliver malicious PDF files designed to steal credentials and compromise sensitive data.", "modified": "2025-02-04T11:00:25.224000", "created": "2025-02-04T11:00:25.224000", "tags": [], "references": [ "https://www.zimperium.com/blog/hidden-in-plain-sight-pdf-mishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 24, "FileHash-SHA256": 25, "URL": 24, "domain": 130, "hostname": 500 }, "indicator_count": 727, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "484 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.zimperium.com/blog/hidden-in-plain-sight-pdf-mishing-attack/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6797e7cf00d753298a379df8", "name": "Hidden in Plain Sight: PDF Mishing Attack", "description": "A sophisticated phishing campaign targeting mobile devices has been discovered, impersonating the United States Postal Service (USPS). The campaign uses a novel obfuscation technique in PDF files to hide malicious links, making detection difficult for many security solutions. The attack exploits users' trust in PDF documents and leverages advanced social engineering tactics. The malicious PDFs contain hidden, clickable elements that redirect users to phishing pages designed to steal personal and financial information. The campaign's infrastructure includes over 20 malicious PDF files, 630 phishing pages, and potential impact across 50+ countries. The attackers use multilingual support and encryption techniques to expand their reach and protect their operations.", "modified": "2025-01-27T20:24:07.069000", "created": "2025-01-27T20:08:47.924000", "tags": [ "phishing", "pdf", "credential theft" ], "references": [ "https://www.zimperium.com/blog/hidden-in-plain-sight-pdf-mishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 25, "domain": 129, "hostname": 500 }, "indicator_count": 656, "is_author": false, "is_subscribing": null, "subscriber_count": 387104, "modified_text": "491 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1f349e067e7a2853518fe", "name": "Hidden in Plain Sight: PDF Mishing Attack", "description": "As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team has been actively tracking a phishing campaign impersonating the United States Postal Service (USPS) which is exclusively targeting mobile devices. This campaign employs sophisticated social engineering tactics and a never-before-seen means of obfuscation to deliver malicious PDF files designed to steal credentials and compromise sensitive data.", "modified": "2025-02-04T11:00:25.224000", "created": "2025-02-04T11:00:25.224000", "tags": [], "references": [ "https://www.zimperium.com/blog/hidden-in-plain-sight-pdf-mishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 24, "FileHash-SHA256": 25, "URL": 24, "domain": 130, "hostname": 500 }, "indicator_count": 727, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "484 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ziuspsuan.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ziuspsuan.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780494794.4549904 }