{ "type": "Domain", "indicator": "zohomail.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zohomail.com", "alexa": "http://www.alexa.com/siteinfo/zohomail.com", "indicator": "zohomail.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2733891785, "indicator": "zohomail.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69f9c539da459757922d22d8", "name": "A rigged game: compromises gaming platform in a supply-chain attack", "description": "North Korea-aligned APT group ScarCruft executed a multiplatform supply-chain attack targeting ethnic Koreans in China's Yanbian region, an area significant for North Korean refugees and defectors. Since late 2024, the group compromised a video gaming platform dedicated to Yanbian-themed games, trojanizing both Windows and Android components with the BirdCall backdoor. The Windows client received malicious updates leading to RokRAT and subsequently BirdCall deployment, while Android games were directly trojanized. This marks the first discovery of Android BirdCall, capable of comprehensive surveillance including data collection, screenshots, and voice recording. The campaign focuses on espionage against individuals of interest to the North Korean regime, particularly refugees and defectors.", "modified": "2026-05-05T10:31:36.265000", "created": "2026-05-05T10:23:53.483000", "tags": [ "supply-chain attack", "birdcall", "android trojan", "yanbian targeting", "gaming platform compromise" ], "references": [ "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "BirdCall", "display_name": "BirdCall", "target": null }, { "id": "ROKRAT - S0240", "display_name": "ROKRAT - S0240", "target": null } ], "attack_ids": [ { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 14, "FileHash-SHA256": 6, "domain": 8, "hostname": 4 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 386536, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552856, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fa4cc388e82992fbdf9413", "name": "Iocs & anti forgery cert", "description": "Leaving this one brief for now. I will note the antigorgery very exp is dangerous and rec exp it from any domain.", "modified": "2026-05-06T08:26:49.994000", "created": "2026-05-05T20:02:11.801000", "tags": [ "kisa", "creation date", "servers", "date", "name servers", "songpagu", "seoul", "security agency", "found date", "gmt server", "url analysis", "title", "cname", "ttl value", "aaaa", "key identifier", "x509v3 subject", "v3 serial", "number", "cus odigicert", "cnthawte tls", "rsa ca", "g1 validity", "lnajusi okorea", "internet", "info", "ip address", "registrant zip", "code", "algorithm", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "server", "registrar abuse", "domain status", "registrar", "dnssec", "domain name", "status", "in registrant", "email", "contact", "key algorithm", "x509v3 key", "registrant", "ac email", "host name", "read", "new york", "korea", "korea internet", "allen street", "kisa sikdang", "korea stop", "mosaic venues", "turkish", "asylum", "service", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "okorea internet", "iana id", "contact email", "contact phone", "registrar url", "registrar whois", "expiration date", "zoho cares", "tr li", "google", "reply", "overview", "chia s", "onpremise", "language test", "file format", "tom jack", "private limited", "stateprovince", "organization", "registrar iana", "tech country", "krnic person", "kr phone", "ip manager", "database", "bundanggu", "kt head", "office country", "whois", "samsungsds", "refer", "team", "telecom", "hack", "online", "south korea", "survey", "internet usage", "behav" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 9, "URL": 388, "domain": 205, "email": 8, "hostname": 688, "IPv4": 28, "FileHash-SHA256": 466, "IPv6": 1, "FileHash-MD5": 7, "CIDR": 1 }, "indicator_count": 1801, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fabb482f5e3f2b49567bbc", "name": "A rigged game: compromises gaming platform in a supply-chain attack", "description": "", "modified": "2026-05-06T03:53:44.836000", "created": "2026-05-06T03:53:44.836000", "tags": [ "supply-chain attack", "birdcall", "android trojan", "yanbian targeting", "gaming platform compromise" ], "references": [ "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "BirdCall", "display_name": "BirdCall", "target": null }, { "id": "ROKRAT - S0240", "display_name": "ROKRAT - S0240", "target": null } ], "attack_ids": [ { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": "69f9c539da459757922d22d8", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 14, "FileHash-SHA256": 6, "domain": 8, "hostname": 4 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fa4cc3743bae4c3ab037b9", "name": "Iocs & anti forgery cert", "description": "Leaving this one brief for now. I will note the antigorgery very exp is dangerous and rec exp it from any domain.", "modified": "2026-05-05T20:02:11.255000", "created": "2026-05-05T20:02:11.255000", "tags": [ "kisa", "creation date", "servers", "date", "name servers", "songpagu", "seoul", "security agency", "found date", "gmt server", "url analysis", "title", "cname", "ttl value", "aaaa", "key identifier", "x509v3 subject", "v3 serial", "number", "cus odigicert", "cnthawte tls", "rsa ca", "g1 validity", "lnajusi okorea", "internet", "info", "ip address", "registrant zip", "code", "algorithm", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "server", "registrar abuse", "domain status", "registrar", "dnssec", "domain name", "status", "in registrant", "email", "contact", "key algorithm", "x509v3 key", "registrant", "ac email", "host name", "read", "new york", "korea", "korea internet", "allen street", "kisa sikdang", "korea stop", "mosaic venues", "turkish", "asylum", "service", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "okorea internet", "iana id", "contact email", "contact phone", "registrar url", "registrar whois", "expiration date", "zoho cares", "tr li", "google", "reply", "overview", "chia s", "onpremise", "language test", "file format", "tom jack", "private limited", "stateprovince", "organization", "registrar iana", "tech country", "krnic person", "kr phone", "ip manager", "database", "bundanggu", "kt head", "office country", "whois", "samsungsds", "refer", "team", "telecom", "hack", "online", "south korea", "survey", "internet usage", "behav" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 9, "URL": 387, "domain": 205, "email": 8, "hostname": 688, "IPv4": 28, "FileHash-SHA256": 466, "IPv6": 1, "FileHash-MD5": 7, "CIDR": 1 }, "indicator_count": 1800, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fa4cc26ebab11465ff8916", "name": "Iocs & anti forgery cert", "description": "Leaving this one brief for now. I will note the antigorgery very exp is dangerous and rec exp it from any domain.", "modified": "2026-05-05T20:02:10.709000", "created": "2026-05-05T20:02:10.709000", "tags": [ "kisa", "creation date", "servers", "date", "name servers", "songpagu", "seoul", "security agency", "found date", "gmt server", "url analysis", "title", "cname", "ttl value", "aaaa", "key identifier", "x509v3 subject", "v3 serial", "number", "cus odigicert", "cnthawte tls", "rsa ca", "g1 validity", "lnajusi okorea", "internet", "info", "ip address", "registrant zip", "code", "algorithm", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "server", "registrar abuse", "domain status", "registrar", "dnssec", "domain name", "status", "in registrant", "email", "contact", "key algorithm", "x509v3 key", "registrant", "ac email", "host name", "read", "new york", "korea", "korea internet", "allen street", "kisa sikdang", "korea stop", "mosaic venues", "turkish", "asylum", "service", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "okorea internet", "iana id", "contact email", "contact phone", "registrar url", "registrar whois", "expiration date", "zoho cares", "tr li", "google", "reply", "overview", "chia s", "onpremise", "language test", "file format", "tom jack", "private limited", "stateprovince", "organization", "registrar iana", "tech country", "krnic person", "kr phone", "ip manager", "database", "bundanggu", "kt head", "office country", "whois", "samsungsds", "refer", "team", "telecom", "hack", "online", "south korea", "survey", "internet usage", "behav" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 9, "URL": 387, "domain": 205, "email": 8, "hostname": 688, "IPv4": 28, "FileHash-SHA256": 466, "IPv6": 1, "FileHash-MD5": 7, "CIDR": 1 }, "indicator_count": 1800, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f9d89cc0e56ee59717f2a6", "name": "[A rigged game: compromises..] Credit: AlienVault Clone. ", "description": "", "modified": "2026-05-05T12:51:37.917000", "created": "2026-05-05T11:46:36.989000", "tags": [ "supply-chain attack", "birdcall", "android trojan", "yanbian targeting", "gaming platform compromise" ], "references": [ "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "BirdCall", "display_name": "BirdCall", "target": null }, { "id": "ROKRAT - S0240", "display_name": "ROKRAT - S0240", "target": null } ], "attack_ids": [ { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": "69f9c539da459757922d22d8", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 14, "FileHash-SHA256": 6, "domain": 8, "hostname": 5, "CIDR": 1, "URL": 5, "email": 6 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655b186b3d62757abfd34221", "name": "Understanding the Phobos affiliate structure and activity", "description": "The most prolific variants of the Phobos ransomware family have been identified by Cisco Talos Intelligence and are commonly seen as being run by a dispersed group of cybercriminal groups, which target high-value servers.", "modified": "2023-11-20T08:27:23.030000", "created": "2023-11-20T08:27:23.030000", "tags": [ "ransomware", "threat spotlight", "phobos", "virustotal", "elbie", "raas", "talos", "appliance", "phobos variant", "ttps", "devos", "phobos sample", "lazagne", "mimikatz", "desktop", "stub", "crysis", "8base", "clop" ], "references": [ "https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Crysis", "display_name": "Crysis", "target": null }, { "id": "8Base", "display_name": "8Base", "target": null }, { "id": "Clop", "display_name": "Clop", "target": null }, { "id": "Phobos", "display_name": "Phobos", "target": null } ], "attack_ids": [ { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 23, "email": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "923 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6267f955185bad11df5a914f", "name": "Cyber crime", "description": "Create envirment for protect cyber attacks", "modified": "2022-05-28T12:02:44.627000", "created": "2022-04-26T13:53:25.175000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Iran, Islamic Republic of", "Turkey", "Russian Federation", "Cuba", "United Kingdom of Great Britain and Northern Ireland", "United Arab Emirates", "Ukraine" ], "malware_families": [ { "id": "ALF:JASYP:DDoS:Win32/Nitol", "display_name": "ALF:JASYP:DDoS:Win32/Nitol", "target": null }, { "id": "#DDoS:Linux/Liquad", "display_name": "#DDoS:Linux/Liquad", "target": "/malware/#DDoS:Linux/Liquad" }, { "id": "#LowFi:Adware:Win32/Addendum", "display_name": "#LowFi:Adware:Win32/Addendum", "target": null }, { "id": "#LowFi:Adware:Win32/Addendum", "display_name": "#LowFi:Adware:Win32/Addendum", "target": null }, { "id": "#LowFi:Adware:Win32/Kraddare", "display_name": "#LowFi:Adware:Win32/Kraddare", "target": null }, { "id": "ALF:Exploit:O97M/DDEDownloader", "display_name": "ALF:Exploit:O97M/DDEDownloader", "target": null }, { "id": "ALF:HeraklezEval:DDoS:Linux/Kaiten", "display_name": "ALF:HeraklezEval:DDoS:Linux/Kaiten", "target": null }, { "id": "AESDDoS", "display_name": "AESDDoS", "target": null }, { "id": "#LowFi:Adware:Win32/Addendum", "display_name": "#LowFi:Adware:Win32/Addendum", "target": null }, { "id": "#PDB:Adware:Win64/AddLyrics", "display_name": "#PDB:Adware:Win64/AddLyrics", "target": null }, { "id": "ALF:Exploit:O97M/DDEDownloader", "display_name": "ALF:Exploit:O97M/DDEDownloader", "target": null }, { "id": "#Lowfi:SIGATTR:AddMSRunKey", "display_name": "#Lowfi:SIGATTR:AddMSRunKey", "target": null }, { "id": "#PDB:Adware:Win64/AddLyrics", "display_name": "#PDB:Adware:Win64/AddLyrics", "target": null }, { "id": "ALF:AGGR:Java/AdwindOddClassName", "display_name": "ALF:AGGR:Java/AdwindOddClassName", "target": null }, { "id": "ALF:Adware:Win32/Kraddare", "display_name": "ALF:Adware:Win32/Kraddare", "target": null } ], "attack_ids": [ { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" }, { "id": "T1098.001", "name": "Additional Cloud Credentials", "display_name": "T1098.001 - Additional Cloud Credentials" }, { "id": "T1137.006", "name": "Add-ins", "display_name": "T1137.006 - Add-ins" }, { "id": "T1098.003", "name": "Add Office 365 Global Administrator Role", "display_name": "T1098.003 - Add Office 365 Global Administrator Role" }, { "id": "T1098.001", "name": "Additional Cloud Credentials", "display_name": "T1098.001 - Additional Cloud Credentials" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Brjb2020", "id": "176196", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 79, "domain": 70, "FileHash-SHA256": 3 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "1464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/", "https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/" ], "related": { "alienvault": { "adversary": [ "APT37" ], "malware_families": [ "Rokrat - s0240", "Birdcall" ], "industries": [] }, "other": { "adversary": [ "APT37" ], "malware_families": [ "#ddos:linux/liquad", "Alf:aggr:java/adwindoddclassname", "Birdcall", "Alf:adware:win32/kraddare", "8base", "Rokrat - s0240", "Phobos", "#lowfi:sigattr:addmsrunkey", "Alf:exploit:o97m/ddedownloader", "Aesddos", "Alf:jasyp:ddos:win32/nitol", "Clop", "#lowfi:adware:win32/addendum", "#pdb:adware:win64/addlyrics", "Alf:heraklezeval:ddos:linux/kaiten", "Crysis", "#lowfi:adware:win32/kraddare" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69f9c539da459757922d22d8", "name": "A rigged game: compromises gaming platform in a supply-chain attack", "description": "North Korea-aligned APT group ScarCruft executed a multiplatform supply-chain attack targeting ethnic Koreans in China's Yanbian region, an area significant for North Korean refugees and defectors. Since late 2024, the group compromised a video gaming platform dedicated to Yanbian-themed games, trojanizing both Windows and Android components with the BirdCall backdoor. The Windows client received malicious updates leading to RokRAT and subsequently BirdCall deployment, while Android games were directly trojanized. This marks the first discovery of Android BirdCall, capable of comprehensive surveillance including data collection, screenshots, and voice recording. The campaign focuses on espionage against individuals of interest to the North Korean regime, particularly refugees and defectors.", "modified": "2026-05-05T10:31:36.265000", "created": "2026-05-05T10:23:53.483000", "tags": [ "supply-chain attack", "birdcall", "android trojan", "yanbian targeting", "gaming platform compromise" ], "references": [ "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "BirdCall", "display_name": "BirdCall", "target": null }, { "id": "ROKRAT - S0240", "display_name": "ROKRAT - S0240", "target": null } ], "attack_ids": [ { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 14, "FileHash-SHA256": 6, "domain": 8, "hostname": 4 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 386536, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552856, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fa4cc388e82992fbdf9413", "name": "Iocs & anti forgery cert", "description": "Leaving this one brief for now. I will note the antigorgery very exp is dangerous and rec exp it from any domain.", "modified": "2026-05-06T08:26:49.994000", "created": "2026-05-05T20:02:11.801000", "tags": [ "kisa", "creation date", "servers", "date", "name servers", "songpagu", "seoul", "security agency", "found date", "gmt server", "url analysis", "title", "cname", "ttl value", "aaaa", "key identifier", "x509v3 subject", "v3 serial", "number", "cus odigicert", "cnthawte tls", "rsa ca", "g1 validity", "lnajusi okorea", "internet", "info", "ip address", "registrant zip", "code", "algorithm", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "server", "registrar abuse", "domain status", "registrar", "dnssec", "domain name", "status", "in registrant", "email", "contact", "key algorithm", "x509v3 key", "registrant", "ac email", "host name", "read", "new york", "korea", "korea internet", "allen street", "kisa sikdang", "korea stop", "mosaic venues", "turkish", "asylum", "service", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "okorea internet", "iana id", "contact email", "contact phone", "registrar url", "registrar whois", "expiration date", "zoho cares", "tr li", "google", "reply", "overview", "chia s", "onpremise", "language test", "file format", "tom jack", "private limited", "stateprovince", "organization", "registrar iana", "tech country", "krnic person", "kr phone", "ip manager", "database", "bundanggu", "kt head", "office country", "whois", "samsungsds", "refer", "team", "telecom", "hack", "online", "south korea", "survey", "internet usage", "behav" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 9, "URL": 388, "domain": 205, "email": 8, "hostname": 688, "IPv4": 28, "FileHash-SHA256": 466, "IPv6": 1, "FileHash-MD5": 7, "CIDR": 1 }, "indicator_count": 1801, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fabb482f5e3f2b49567bbc", "name": "A rigged game: compromises gaming platform in a supply-chain attack", "description": "", "modified": "2026-05-06T03:53:44.836000", "created": "2026-05-06T03:53:44.836000", "tags": [ "supply-chain attack", "birdcall", "android trojan", "yanbian targeting", "gaming platform compromise" ], "references": [ "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "BirdCall", "display_name": "BirdCall", "target": null }, { "id": "ROKRAT - S0240", "display_name": "ROKRAT - S0240", "target": null } ], "attack_ids": [ { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": "69f9c539da459757922d22d8", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 14, "FileHash-SHA256": 6, "domain": 8, "hostname": 4 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fa4cc3743bae4c3ab037b9", "name": "Iocs & anti forgery cert", "description": "Leaving this one brief for now. I will note the antigorgery very exp is dangerous and rec exp it from any domain.", "modified": "2026-05-05T20:02:11.255000", "created": "2026-05-05T20:02:11.255000", "tags": [ "kisa", "creation date", "servers", "date", "name servers", "songpagu", "seoul", "security agency", "found date", "gmt server", "url analysis", "title", "cname", "ttl value", "aaaa", "key identifier", "x509v3 subject", "v3 serial", "number", "cus odigicert", "cnthawte tls", "rsa ca", "g1 validity", "lnajusi okorea", "internet", "info", "ip address", "registrant zip", "code", "algorithm", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "server", "registrar abuse", "domain status", "registrar", "dnssec", "domain name", "status", "in registrant", "email", "contact", "key algorithm", "x509v3 key", "registrant", "ac email", "host name", "read", "new york", "korea", "korea internet", "allen street", "kisa sikdang", "korea stop", "mosaic venues", "turkish", "asylum", "service", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "okorea internet", "iana id", "contact email", "contact phone", "registrar url", "registrar whois", "expiration date", "zoho cares", "tr li", "google", "reply", "overview", "chia s", "onpremise", "language test", "file format", "tom jack", "private limited", "stateprovince", "organization", "registrar iana", "tech country", "krnic person", "kr phone", "ip manager", "database", "bundanggu", "kt head", "office country", "whois", "samsungsds", "refer", "team", "telecom", "hack", "online", "south korea", "survey", "internet usage", "behav" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 9, "URL": 387, "domain": 205, "email": 8, "hostname": 688, "IPv4": 28, "FileHash-SHA256": 466, "IPv6": 1, "FileHash-MD5": 7, "CIDR": 1 }, "indicator_count": 1800, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fa4cc26ebab11465ff8916", "name": "Iocs & anti forgery cert", "description": "Leaving this one brief for now. I will note the antigorgery very exp is dangerous and rec exp it from any domain.", "modified": "2026-05-05T20:02:10.709000", "created": "2026-05-05T20:02:10.709000", "tags": [ "kisa", "creation date", "servers", "date", "name servers", "songpagu", "seoul", "security agency", "found date", "gmt server", "url analysis", "title", "cname", "ttl value", "aaaa", "key identifier", "x509v3 subject", "v3 serial", "number", "cus odigicert", "cnthawte tls", "rsa ca", "g1 validity", "lnajusi okorea", "internet", "info", "ip address", "registrant zip", "code", "algorithm", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "server", "registrar abuse", "domain status", "registrar", "dnssec", "domain name", "status", "in registrant", "email", "contact", "key algorithm", "x509v3 key", "registrant", "ac email", "host name", "read", "new york", "korea", "korea internet", "allen street", "kisa sikdang", "korea stop", "mosaic venues", "turkish", "asylum", "service", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "okorea internet", "iana id", "contact email", "contact phone", "registrar url", "registrar whois", "expiration date", "zoho cares", "tr li", "google", "reply", "overview", "chia s", "onpremise", "language test", "file format", "tom jack", "private limited", "stateprovince", "organization", "registrar iana", "tech country", "krnic person", "kr phone", "ip manager", "database", "bundanggu", "kt head", "office country", "whois", "samsungsds", "refer", "team", "telecom", "hack", "online", "south korea", "survey", "internet usage", "behav" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 9, "URL": 387, "domain": 205, "email": 8, "hostname": 688, "IPv4": 28, "FileHash-SHA256": 466, "IPv6": 1, "FileHash-MD5": 7, "CIDR": 1 }, "indicator_count": 1800, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f9d89cc0e56ee59717f2a6", "name": "[A rigged game: compromises..] Credit: AlienVault Clone. ", "description": "", "modified": "2026-05-05T12:51:37.917000", "created": "2026-05-05T11:46:36.989000", "tags": [ "supply-chain attack", "birdcall", "android trojan", "yanbian targeting", "gaming platform compromise" ], "references": [ "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "BirdCall", "display_name": "BirdCall", "target": null }, { "id": "ROKRAT - S0240", "display_name": "ROKRAT - S0240", "target": null } ], "attack_ids": [ { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": "69f9c539da459757922d22d8", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 14, "FileHash-SHA256": 6, "domain": 8, "hostname": 5, "CIDR": 1, "URL": 5, "email": 6 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655b186b3d62757abfd34221", "name": "Understanding the Phobos affiliate structure and activity", "description": "The most prolific variants of the Phobos ransomware family have been identified by Cisco Talos Intelligence and are commonly seen as being run by a dispersed group of cybercriminal groups, which target high-value servers.", "modified": "2023-11-20T08:27:23.030000", "created": "2023-11-20T08:27:23.030000", "tags": [ "ransomware", "threat spotlight", "phobos", "virustotal", "elbie", "raas", "talos", "appliance", "phobos variant", "ttps", "devos", "phobos sample", "lazagne", "mimikatz", "desktop", "stub", "crysis", "8base", "clop" ], "references": [ "https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Crysis", "display_name": "Crysis", "target": null }, { "id": "8Base", "display_name": "8Base", "target": null }, { "id": "Clop", "display_name": "Clop", "target": null }, { "id": "Phobos", "display_name": "Phobos", "target": null } ], "attack_ids": [ { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 23, "email": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "923 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6267f955185bad11df5a914f", "name": "Cyber crime", "description": "Create envirment for protect cyber attacks", "modified": "2022-05-28T12:02:44.627000", "created": "2022-04-26T13:53:25.175000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Iran, Islamic Republic of", "Turkey", "Russian Federation", "Cuba", "United Kingdom of Great Britain and Northern Ireland", "United Arab Emirates", "Ukraine" ], "malware_families": [ { "id": "ALF:JASYP:DDoS:Win32/Nitol", "display_name": "ALF:JASYP:DDoS:Win32/Nitol", "target": null }, { "id": "#DDoS:Linux/Liquad", "display_name": "#DDoS:Linux/Liquad", "target": "/malware/#DDoS:Linux/Liquad" }, { "id": "#LowFi:Adware:Win32/Addendum", "display_name": "#LowFi:Adware:Win32/Addendum", "target": null }, { "id": "#LowFi:Adware:Win32/Addendum", "display_name": "#LowFi:Adware:Win32/Addendum", "target": null }, { "id": "#LowFi:Adware:Win32/Kraddare", "display_name": "#LowFi:Adware:Win32/Kraddare", "target": null }, { "id": "ALF:Exploit:O97M/DDEDownloader", "display_name": "ALF:Exploit:O97M/DDEDownloader", "target": null }, { "id": "ALF:HeraklezEval:DDoS:Linux/Kaiten", "display_name": "ALF:HeraklezEval:DDoS:Linux/Kaiten", "target": null }, { "id": "AESDDoS", "display_name": "AESDDoS", "target": null }, { "id": "#LowFi:Adware:Win32/Addendum", "display_name": "#LowFi:Adware:Win32/Addendum", "target": null }, { "id": "#PDB:Adware:Win64/AddLyrics", "display_name": "#PDB:Adware:Win64/AddLyrics", "target": null }, { "id": "ALF:Exploit:O97M/DDEDownloader", "display_name": "ALF:Exploit:O97M/DDEDownloader", "target": null }, { "id": "#Lowfi:SIGATTR:AddMSRunKey", "display_name": "#Lowfi:SIGATTR:AddMSRunKey", "target": null }, { "id": "#PDB:Adware:Win64/AddLyrics", "display_name": "#PDB:Adware:Win64/AddLyrics", "target": null }, { "id": "ALF:AGGR:Java/AdwindOddClassName", "display_name": "ALF:AGGR:Java/AdwindOddClassName", "target": null }, { "id": "ALF:Adware:Win32/Kraddare", "display_name": "ALF:Adware:Win32/Kraddare", "target": null } ], "attack_ids": [ { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" }, { "id": "T1098.001", "name": "Additional Cloud Credentials", "display_name": "T1098.001 - Additional Cloud Credentials" }, { "id": "T1137.006", "name": "Add-ins", "display_name": "T1137.006 - Add-ins" }, { "id": "T1098.003", "name": "Add Office 365 Global Administrator Role", "display_name": "T1098.003 - Add Office 365 Global Administrator Role" }, { "id": "T1098.001", "name": "Additional Cloud Credentials", "display_name": "T1098.001 - Additional Cloud Credentials" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Brjb2020", "id": "176196", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 79, "domain": 70, "FileHash-SHA256": 3 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "1464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zohomail.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zohomail.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780235642.9994693 }