{ "type": "Domain", "indicator": "zoommanager.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zoommanager.com", "alexa": "http://www.alexa.com/siteinfo/zoommanager.com", "indicator": "zoommanager.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2233116603, "indicator": "zoommanager.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "67efa39a268c4f13cd51f0d5", "name": "Fake Zoom Installer Delivers BlackSuit Ransomware via RDP Exploitation and Multi-Stage Payloads", "description": "This campaign primarily targets users who download and install a trojanized Zoom installer from a malicious website impersonating the legitimate Zoom download page. The attack exploits user trust in the Zoom application to deliver malware, enabling threat actors to gain unauthorized remote access and deploy ransomware.", "modified": "2025-05-04T09:00:06.184000", "created": "2025-04-04T09:17:14.923000", "tags": [ "cobalt strike", "qdoor", "winrar", "sectoprat", "brute ratel", "wmic", "badger", "rar archive", "psexec", "zoom", "download", "steam", "hijackloader", "unknown", "cobalt", "win64", "impact", "april", "metasploit", "sliver", "ransomware", "explorer", "powershell", "rest", "malicious", "ratel", "write", "execution", "shell", "nids", "blacksuit" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 9, "domain": 3, "hostname": 3 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebd3178ffaad1ed213c2e3", "name": "Fake Zoom Ends in BlackSuit Ransomware – The DFIR Report", "description": "A look back at some of the key moments in a cyber-attack that took place in May 2024 and led to BlackSuit ransomware being successfully executed across all Windows systems, including the entire Windows operating system.", "modified": "2025-05-01T11:03:54.851000", "created": "2025-04-01T11:50:47.731000", "tags": [ "cobalt strike", "qdoor", "winrar", "sectoprat", "brute ratel", "wmic", "badger", "rar archive", "psexec", "zoom", "download", "steam", "hijackloader", "unknown", "cobalt", "win64", "impact", "april", "metasploit", "sliver", "ransomware", "explorer", "powershell", "rest", "malicious", "ratel", "write", "execution", "shell", "nids", "blacksuit" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 9, "domain": 3, "hostname": 3 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb262df81eb135a2d0d383", "name": "Fake Zoom Installer to Gain RDP Access & Deploy Malware", "description": "", "modified": "2025-04-30T23:03:40.572000", "created": "2025-03-31T23:33:01.197000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f4036d091adaa2882cae21", "name": "Fake Zoom Download Sites Spreading BlackSuit Ransomware, Experts Warn - CySecurity News - Latest Information Security and Hacking Incidents", "description": "", "modified": "2025-04-07T16:55:09.098000", "created": "2025-04-07T16:55:09.098000", "tags": [ "fake zoom download sites spreading blacksuit ransomware", "experts warn", "cysecurity news - latest information security and hacking incide", "cysecurity news - latest information security and hacking incide", "cyber security", "security", "cyber", "april", "march", "november", "october", "september", "august", "july", "february", "june", "malware", "ransomware", "android", "police", "attack", "dark", "bypass", "sensitive", "bank", "cloud", "cobalt strike", "service", "lockbit", "bitcoin", "coronavirus", "crypto", "exploit", "facebook", "play", "hacked", "malicious", "phishing", "ragnar locker", "voice", "spear", "tech", "twitter", "bind", "friday", "agent smith", "agent tesla", "anon", "astro locker", "black", "black suit", "blackcat", "crisis", "code", "cult", "cyclops blink", "monitoring", "darkgate", "karakurt", "el dorado", "revolution", "enterprise", "factory", "furball", "future", "lurk", "hellcat", "hackteam", "indonesia", "jack", "korean", "model", "lazarus", "loans", "python", "mamba", "media", "meta", "monero miner", "mafia", "nuclear", "ontario", "zero", "crime", "panda stealer", "test", "play ransomware", "loader", "pronsis loader", "prynt stealer", "qakbot", "raspberry robin", "trojan", "execution", "ryuk ransomware", "school", "ukraine", "sparrowdoor", "survey", "fraud", "telegram", "guardian", "mask", "shadow", "shark", "thundercrypt", "trickbot", "window", "woody rat", "footer" ], "references": [ "https://www.cysecurity.news/2025/04/fake-zoom-download-sites-spreading.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 22, "domain": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "418 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb2c82f6d5abd9d68f1e47", "name": "Blacksuite Ransomware", "description": "Blacksuite Ransomware; last update : 27/08/2024", "modified": "2024-09-26T10:02:17.150000", "created": "2024-08-13T09:50:58.558000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 65, "FileHash-SHA256": 32, "URL": 11, "domain": 22, "hostname": 5, "FileHash-MD5": 5, "FileHash-SHA1": 5 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654198962e43dc463f692c2", "name": "DOH IP & URL IOC", "description": "The following is the full text of the report on the findings of this year's World Cup in Brazil, which was held at the same time as the 2016 Olympics in Rio de Janeiro, Brazil.", "modified": "2024-09-25T04:01:33.267000", "created": "2024-05-27T05:26:33.698000", "tags": [ "iocs https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 270, "CIDR": 1, "domain": 116, "hostname": 33, "FileHash-MD5": 1 }, "indicator_count": 421, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654138435c5832ca2c4028f", "name": "DOH Domains IOCs", "description": "The following is a full list of items that you might not have known existed::..com, or, if you were interested in them, are the most likely ones to come up with", "modified": "2024-08-26T04:12:43.497000", "created": "2024-05-27T05:00:52.918000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 1335, "hostname": 667 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666ca83668b304ff8068b15c", "name": "IB-24-10067 New BlackSuit Ransomware Indicators of Compromise Observed in Information Technology Sector", "description": "", "modified": "2024-07-14T20:02:05.927000", "created": "2024-06-14T20:29:42.761000", "tags": [ "ck technnique", "behavior", "green", "discovery", "impact", "ipv4addr", "ip watchlist", "access token", "manipulation", "t1134", "comment", "execution" ], "references": [ "IB-24-10067.stix.xml", "IB-24-10067.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cct_octi", "id": "283983", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2, "hostname": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "685 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/", "IB-24-10067.stix.xml", "IB-24-10067.csv", "https://www.cysecurity.news/2025/04/fake-zoom-download-sites-spreading.html", "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/#indicators" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Nids", "Cobalt strike", "Blacksuit", "Sectoprat" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "67efa39a268c4f13cd51f0d5", "name": "Fake Zoom Installer Delivers BlackSuit Ransomware via RDP Exploitation and Multi-Stage Payloads", "description": "This campaign primarily targets users who download and install a trojanized Zoom installer from a malicious website impersonating the legitimate Zoom download page. The attack exploits user trust in the Zoom application to deliver malware, enabling threat actors to gain unauthorized remote access and deploy ransomware.", "modified": "2025-05-04T09:00:06.184000", "created": "2025-04-04T09:17:14.923000", "tags": [ "cobalt strike", "qdoor", "winrar", "sectoprat", "brute ratel", "wmic", "badger", "rar archive", "psexec", "zoom", "download", "steam", "hijackloader", "unknown", "cobalt", "win64", "impact", "april", "metasploit", "sliver", "ransomware", "explorer", "powershell", "rest", "malicious", "ratel", "write", "execution", "shell", "nids", "blacksuit" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 9, "domain": 3, "hostname": 3 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebd3178ffaad1ed213c2e3", "name": "Fake Zoom Ends in BlackSuit Ransomware – The DFIR Report", "description": "A look back at some of the key moments in a cyber-attack that took place in May 2024 and led to BlackSuit ransomware being successfully executed across all Windows systems, including the entire Windows operating system.", "modified": "2025-05-01T11:03:54.851000", "created": "2025-04-01T11:50:47.731000", "tags": [ "cobalt strike", "qdoor", "winrar", "sectoprat", "brute ratel", "wmic", "badger", "rar archive", "psexec", "zoom", "download", "steam", "hijackloader", "unknown", "cobalt", "win64", "impact", "april", "metasploit", "sliver", "ransomware", "explorer", "powershell", "rest", "malicious", "ratel", "write", "execution", "shell", "nids", "blacksuit" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 9, "domain": 3, "hostname": 3 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb262df81eb135a2d0d383", "name": "Fake Zoom Installer to Gain RDP Access & Deploy Malware", "description": "", "modified": "2025-04-30T23:03:40.572000", "created": "2025-03-31T23:33:01.197000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f4036d091adaa2882cae21", "name": "Fake Zoom Download Sites Spreading BlackSuit Ransomware, Experts Warn - CySecurity News - Latest Information Security and Hacking Incidents", "description": "", "modified": "2025-04-07T16:55:09.098000", "created": "2025-04-07T16:55:09.098000", "tags": [ "fake zoom download sites spreading blacksuit ransomware", "experts warn", "cysecurity news - latest information security and hacking incide", "cysecurity news - latest information security and hacking incide", "cyber security", "security", "cyber", "april", "march", "november", "october", "september", "august", "july", "february", "june", "malware", "ransomware", "android", "police", "attack", "dark", "bypass", "sensitive", "bank", "cloud", "cobalt strike", "service", "lockbit", "bitcoin", "coronavirus", "crypto", "exploit", "facebook", "play", "hacked", "malicious", "phishing", "ragnar locker", "voice", "spear", "tech", "twitter", "bind", "friday", "agent smith", "agent tesla", "anon", "astro locker", "black", "black suit", "blackcat", "crisis", "code", "cult", "cyclops blink", "monitoring", "darkgate", "karakurt", "el dorado", "revolution", "enterprise", "factory", "furball", "future", "lurk", "hellcat", "hackteam", "indonesia", "jack", "korean", "model", "lazarus", "loans", "python", "mamba", "media", "meta", "monero miner", "mafia", "nuclear", "ontario", "zero", "crime", "panda stealer", "test", "play ransomware", "loader", "pronsis loader", "prynt stealer", "qakbot", "raspberry robin", "trojan", "execution", "ryuk ransomware", "school", "ukraine", "sparrowdoor", "survey", "fraud", "telegram", "guardian", "mask", "shadow", "shark", "thundercrypt", "trickbot", "window", "woody rat", "footer" ], "references": [ "https://www.cysecurity.news/2025/04/fake-zoom-download-sites-spreading.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 22, "domain": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "418 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb2c82f6d5abd9d68f1e47", "name": "Blacksuite Ransomware", "description": "Blacksuite Ransomware; last update : 27/08/2024", "modified": "2024-09-26T10:02:17.150000", "created": "2024-08-13T09:50:58.558000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 65, "FileHash-SHA256": 32, "URL": 11, "domain": 22, "hostname": 5, "FileHash-MD5": 5, "FileHash-SHA1": 5 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654198962e43dc463f692c2", "name": "DOH IP & URL IOC", "description": "The following is the full text of the report on the findings of this year's World Cup in Brazil, which was held at the same time as the 2016 Olympics in Rio de Janeiro, Brazil.", "modified": "2024-09-25T04:01:33.267000", "created": "2024-05-27T05:26:33.698000", "tags": [ "iocs https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 270, "CIDR": 1, "domain": 116, "hostname": 33, "FileHash-MD5": 1 }, "indicator_count": 421, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654138435c5832ca2c4028f", "name": "DOH Domains IOCs", "description": "The following is a full list of items that you might not have known existed::..com, or, if you were interested in them, are the most likely ones to come up with", "modified": "2024-08-26T04:12:43.497000", "created": "2024-05-27T05:00:52.918000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 1335, "hostname": 667 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666ca83668b304ff8068b15c", "name": "IB-24-10067 New BlackSuit Ransomware Indicators of Compromise Observed in Information Technology Sector", "description": "", "modified": "2024-07-14T20:02:05.927000", "created": "2024-06-14T20:29:42.761000", "tags": [ "ck technnique", "behavior", "green", "discovery", "impact", "ipv4addr", "ip watchlist", "access token", "manipulation", "t1134", "comment", "execution" ], "references": [ "IB-24-10067.stix.xml", "IB-24-10067.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cct_octi", "id": "283983", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2, "hostname": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "685 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zoommanager.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zoommanager.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780225547.0742104 }