| {"text": "The RaspiNAS honeypot detected 70 malicious IP addresses in the last hour, including connections from 185.220.101.45, 92.118.160.13, and 45.148.10.78. These IPs were observed performing SSH brute-force attacks targeting port 22 and attempting credential stuffing against common Linux services.", "spans": {"IP_ADDRESS: 185.220.101.45": [[102, 116]], "IP_ADDRESS: 92.118.160.13": [[118, 131]], "IP_ADDRESS: 45.148.10.78": [[137, 149]], "SYSTEM: RaspiNAS": [[4, 12]], "SYSTEM: Linux": [[278, 283]]}, "info": {"id": "otx_00001", "source": "alienvault_otx"}} |
| {"text": "Feodo Tracker reports that Emotet command-and-control server at 162.243.103.246:8080 has been active since June 2022. The Emotet banking trojan continues to evolve, with recent campaigns delivering payloads via malicious email attachments. Additional QakBot C2 infrastructure was identified at 50.16.16.211:443 and 34.204.119.63:443.", "spans": {"IP_ADDRESS: 162.243.103.246": [[64, 79]], "IP_ADDRESS: 50.16.16.211": [[294, 306]], "IP_ADDRESS: 34.204.119.63": [[315, 328]], "MALWARE: Emotet": [[27, 33], [122, 128]], "MALWARE: QakBot": [[251, 257]], "TOOL: Feodo Tracker": [[0, 13]]}, "info": {"id": "otx_00002", "source": "alienvault_otx"}} |
| {"text": "QakBot C2 server 178.62.3.223 was first observed on 2026-02-17 communicating over port 443. A second QakBot command-and-control node at 27.133.154.218:443 appeared on 2026-03-04. Both servers are hosted on commercial VPS infrastructure and use TLS encryption to evade detection.", "spans": {"MALWARE: QakBot": [[0, 6], [101, 107]], "IP_ADDRESS: 178.62.3.223": [[17, 29]], "IP_ADDRESS: 27.133.154.218": [[136, 150]]}, "info": {"id": "otx_00003", "source": "alienvault_otx"}} |
| {"text": "MalwareBazaar sample analysis: GuLoader dropper (SHA256: 84e88a5a4e2da29b3870aac7cc9ad57c8de86c59564b63217a78989642422a67, MD5: e57857f0495cd18f072eec32a0d8040c, SHA1: 91873580090293973a125299e5f92bf0a0aa1ceb) was submitted as an executable file. GuLoader is known for downloading secondary payloads from cloud storage services including Google Drive and OneDrive.", "spans": {"MALWARE: GuLoader": [[31, 39], [247, 255]], "HASH: 84e88a5a4e2da29b3870aac7cc9ad57c8de86c59564b63217a78989642422a67": [[57, 121]], "HASH: e57857f0495cd18f072eec32a0d8040c": [[128, 160]], "HASH: 91873580090293973a125299e5f92bf0a0aa1ceb": [[168, 208]], "TOOL: MalwareBazaar": [[0, 13]], "ORGANIZATION: Google": [[338, 344]]}, "info": {"id": "otx_00004", "source": "alienvault_otx"}} |
| {"text": "A new ValleyRAT sample was identified with SHA256 hash 3d3baf5cef394a0a04afdb180133e1bc843d63b1173be1e53f4b7f630d311bd8 and MD5 27623783271c5081889fffd34a35ef89. ValleyRAT is a remote access trojan primarily targeting Chinese-speaking users. The DLL payload communicates with command-and-control servers over HTTPS.", "spans": {"MALWARE: ValleyRAT": [[6, 15], [162, 171]], "HASH: 3d3baf5cef394a0a04afdb180133e1bc843d63b1173be1e53f4b7f630d311bd8": [[55, 119]], "HASH: 27623783271c5081889fffd34a35ef89": [[128, 160]]}, "info": {"id": "otx_00005", "source": "alienvault_otx"}} |
| {"text": "Gh0stRAT executable detected: SHA256 e938236bc97fd9cff5238292feedbc6b5f209ecf67837a08ce44e978ba2678d0, MD5 cd4b32743efda11c627e39381af90b5f. Gh0stRAT has been used by multiple Chinese APT groups including APT17 and APT27 for espionage operations. The sample was reported by researcher Ling to MalwareBazaar.", "spans": {"MALWARE: Gh0stRAT": [[0, 8], [141, 149]], "HASH: e938236bc97fd9cff5238292feedbc6b5f209ecf67837a08ce44e978ba2678d0": [[37, 101]], "HASH: cd4b32743efda11c627e39381af90b5f": [[107, 139]], "THREAT_ACTOR: APT17": [[205, 210]], "THREAT_ACTOR: APT27": [[215, 220]], "TOOL: MalwareBazaar": [[293, 306]]}, "info": {"id": "otx_00006", "source": "alienvault_otx"}} |
| {"text": "An njRAT sample (SHA256: fc094a9cbf6b8e30b323d1b55d5b9a9a49c2d2ce34d48014540d00ea845fafe9, MD5: 76d622a3a2f86e2a5e6217155a6ee1d4) was detected distributing via phishing emails with invoice-themed lures. njRAT establishes persistence through registry run keys and communicates with its C2 server at njrat-c2.duckdns.org on port 5552.", "spans": {"MALWARE: njRAT": [[3, 8], [203, 208]], "HASH: fc094a9cbf6b8e30b323d1b55d5b9a9a49c2d2ce34d48014540d00ea845fafe9": [[25, 89]], "HASH: 76d622a3a2f86e2a5e6217155a6ee1d4": [[96, 128]], "DOMAIN: njrat-c2.duckdns.org": [[298, 318]]}, "info": {"id": "otx_00007", "source": "alienvault_otx"}} |
| {"text": "Multiple information stealer campaigns were observed on 2026-04-24. MassLogger samples (SHA256: 40e07f72ac2c9cecd2d2c09c1467c6bd56241a92f14326bf687518b95e5800e8) and PhantomStealer (SHA256: 6916eee5b360a12e04506e146dbc10b4ff95ba397c4b247b25817600078deac5) were delivered via PowerShell scripts. Both stealers exfiltrate browser credentials, cryptocurrency wallets, and email passwords to attacker-controlled SMTP servers.", "spans": {"MALWARE: MassLogger": [[68, 78]], "MALWARE: PhantomStealer": [[166, 180]], "HASH: 40e07f72ac2c9cecd2d2c09c1467c6bd56241a92f14326bf687518b95e5800e8": [[96, 160]], "HASH: 6916eee5b360a12e04506e146dbc10b4ff95ba397c4b247b25817600078deac5": [[190, 254]], "TOOL: PowerShell": [[275, 285]]}, "info": {"id": "otx_00008", "source": "alienvault_otx"}} |
| {"text": "VIPKeylogger payload (SHA256: e37ccc8bf737978f18519177a6810065e1da8a62d4e6ff627350d85e60d3c7c1) and XWorm backdoor (SHA256: ed2001b4af76a38afef7dac1caa1c26b857d4f52737368190922593cf37d9c21) were both distributed through malicious PowerShell scripts hosted on compromised WordPress sites. XWorm communicates with C2 at xworm-panel.ddns.net:7000 while VIPKeylogger sends captured keystrokes to logcollector@protonmail.com.", "spans": {"MALWARE: VIPKeylogger": [[0, 12], [350, 362]], "MALWARE: XWorm": [[100, 105], [288, 293]], "HASH: e37ccc8bf737978f18519177a6810065e1da8a62d4e6ff627350d85e60d3c7c1": [[30, 94]], "HASH: ed2001b4af76a38afef7dac1caa1c26b857d4f52737368190922593cf37d9c21": [[124, 188]], "DOMAIN: xworm-panel.ddns.net": [[318, 338]], "EMAIL: logcollector@protonmail.com": [[392, 419]], "SYSTEM: WordPress": [[271, 280]], "TOOL: PowerShell": [[230, 240]]}, "info": {"id": "otx_00009", "source": "alienvault_otx"}} |
| {"text": "RemcosRAT executable (SHA256: 667b71e6f8389bf64ec8db65407fec3a449f055d6be8e1e27763532489f68ce2, MD5: d4302d76d91af8bc39ef48d8a2f7ba86) was identified by threatcat_ch. RemcosRAT is a commercial remote administration tool commonly abused by threat actors. This sample connects to remcos-panel.zapto.org:4782 for command and control, and exfiltrates stolen data to ftp://upload.malicioushost.ru/drops/.", "spans": {"MALWARE: RemcosRAT": [[0, 9], [167, 176]], "HASH: 667b71e6f8389bf64ec8db65407fec3a449f055d6be8e1e27763532489f68ce2": [[30, 94]], "HASH: d4302d76d91af8bc39ef48d8a2f7ba86": [[101, 133]], "DOMAIN: remcos-panel.zapto.org": [[278, 300]], "DOMAIN: upload.malicioushost.ru": [[368, 391]], "URL: ftp://upload.malicioushost.ru/drops/": [[362, 398]]}, "info": {"id": "otx_00010", "source": "alienvault_otx"}} |
| {"text": "Three new Mirai botnet variants were submitted to MalwareBazaar: SHA256 f392af839e6a0568b12c9f9b4be9b2d4b30c894fae7e5aefd10701e9cae69e9a, SHA256 8c2d8eccaf611576cadeaffa9759a46dd586d3ab7bffa10e7fc6918785dee130, and SHA256 213eac16b7f95a7539b2c21766abaacd6f37984244627583ba155dbd7b9bd6e2. These ELF binaries target IoT devices running ARM and MIPS architectures, exploiting default credentials on Telnet and SSH services.", "spans": {"MALWARE: Mirai": [[10, 15]], "HASH: f392af839e6a0568b12c9f9b4be9b2d4b30c894fae7e5aefd10701e9cae69e9a": [[72, 136]], "HASH: 8c2d8eccaf611576cadeaffa9759a46dd586d3ab7bffa10e7fc6918785dee130": [[145, 209]], "HASH: 213eac16b7f95a7539b2c21766abaacd6f37984244627583ba155dbd7b9bd6e2": [[222, 286]], "TOOL: MalwareBazaar": [[50, 63]]}, "info": {"id": "otx_00011", "source": "alienvault_otx"}} |
| {"text": "A Gafgyt botnet sample (SHA256: b515b4ebe06041f29b19c8eb918fb290de044f2f5b7270e1c4e6ce7f0521d66a, MD5: 1beefff39c6aed8ac8aa734649e9f0eb) targets Linux-based IoT devices. Gafgyt, also known as Bashlite or QBOT, scans for devices with weak Telnet credentials and recruits them into DDoS botnets. The C2 infrastructure was traced to gafgyt-cnc.example.net.", "spans": {"MALWARE: Gafgyt": [[2, 8], [170, 176]], "MALWARE: Bashlite": [[192, 200]], "MALWARE: QBOT": [[204, 208]], "HASH: b515b4ebe06041f29b19c8eb918fb290de044f2f5b7270e1c4e6ce7f0521d66a": [[32, 96]], "HASH: 1beefff39c6aed8ac8aa734649e9f0eb": [[103, 135]], "SYSTEM: Linux": [[145, 150]], "DOMAIN: gafgyt-cnc.example.net": [[330, 352]]}, "info": {"id": "otx_00012", "source": "alienvault_otx"}} |
| {"text": "Silk Typhoon, also tracked as HAFNIUM, has been observed exploiting CVE-2025-0282 in Ivanti Pulse Connect VPN to gain initial access. The Chinese state-sponsored group previously exploited CVE-2024-3400 in Palo Alto Networks PAN-OS and CVE-2023-3519 in Citrix NetScaler. Microsoft Threat Intelligence reports that Silk Typhoon abuses stolen API keys from cloud service providers to move laterally into customer environments.", "spans": {"THREAT_ACTOR: Silk Typhoon": [[0, 12], [314, 326]], "THREAT_ACTOR: HAFNIUM": [[30, 37]], "CVE_ID: CVE-2025-0282": [[68, 81]], "CVE_ID: CVE-2024-3400": [[189, 202]], "CVE_ID: CVE-2023-3519": [[236, 249]], "SYSTEM: Ivanti Pulse Connect VPN": [[85, 109]], "SYSTEM: PAN-OS": [[225, 231]], "SYSTEM: Citrix NetScaler": [[253, 269]], "ORGANIZATION: Microsoft Threat Intelligence": [[271, 300]], "ORGANIZATION: Palo Alto Networks": [[206, 224]]}, "info": {"id": "otx_00013", "source": "alienvault_otx"}} |
| {"text": "Silk Typhoon's historical campaigns exploited the ProxyLogon vulnerability chain including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise Microsoft Exchange Server deployments worldwide. The group deployed web shells for persistence and exfiltrated Active Directory databases to harvest credentials.", "spans": {"THREAT_ACTOR: Silk Typhoon": [[0, 12]], "CVE_ID: CVE-2021-26855": [[91, 105]], "CVE_ID: CVE-2021-26857": [[107, 121]], "CVE_ID: CVE-2021-26858": [[123, 137]], "CVE_ID: CVE-2021-27065": [[143, 157]], "SYSTEM: Microsoft Exchange Server": [[172, 197]], "SYSTEM: Active Directory": [[283, 299]]}, "info": {"id": "otx_00014", "source": "alienvault_otx"}} |
| {"text": "Unit 42 identified threat cluster CL-UNK-0979 exploiting CVE-2025-0282 in Ivanti Connect Secure appliances. Attackers deployed SPAWNMOLE tunneler (SHA256: AAE291AC5767CFE93676DACB67BA50C98D8FD520F5821FB050FD63E38B000B18), SPAWNSNAIL SSH backdoor (SHA256: 366635c00b8e6f749a4d948574a0f1e7b4c842ca443176de27af45debbc14f71), and SPAWNSLOTH log tamper utility (SHA256: 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104). C2 communications were observed to 185.219.141.95 and 193.149.180.128.", "spans": {"THREAT_ACTOR: CL-UNK-0979": [[34, 45]], "CVE_ID: CVE-2025-0282": [[57, 70]], "MALWARE: SPAWNMOLE": [[127, 136]], "MALWARE: SPAWNSNAIL": [[222, 232]], "MALWARE: SPAWNSLOTH": [[326, 336]], "HASH: AAE291AC5767CFE93676DACB67BA50C98D8FD520F5821FB050FD63E38B000B18": [[155, 219]], "HASH: 366635c00b8e6f749a4d948574a0f1e7b4c842ca443176de27af45debbc14f71": [[255, 319]], "HASH: 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104": [[365, 429]], "IP_ADDRESS: 185.219.141.95": [[467, 481]], "IP_ADDRESS: 193.149.180.128": [[486, 501]], "SYSTEM: Ivanti Connect Secure": [[74, 95]], "ORGANIZATION: Unit 42": [[0, 7]]}, "info": {"id": "otx_00015", "source": "alienvault_otx"}} |
| {"text": "In the CVE-2025-0282 exploitation chain, threat actors dropped vixDiskLib.dll (SHA256: 43363AA0D1FDAB0174D94BD5A9E16D47CBB08B4B089C5A12E370133AB8E640A6) and package.dll (SHA256: 1dc0a3a5904ec35103538a018ef069fbe95b0a3c26cb0ff9ba0d1c268d1aaf98) for DLL sideloading attacks. The memory dumping tool was placed at C:\\Users\\Public\\Music\\package.dll and output was written to C:\\Users\\Public\\Downloads\\VM.txt. Lateral movement was achieved using RDP from compromised host DESKTOP-1JIMIV3.", "spans": {"CVE_ID: CVE-2025-0282": [[7, 20]], "HASH: 43363AA0D1FDAB0174D94BD5A9E16D47CBB08B4B089C5A12E370133AB8E640A6": [[87, 151]], "HASH: 1dc0a3a5904ec35103538a018ef069fbe95b0a3c26cb0ff9ba0d1c268d1aaf98": [[178, 242]], "FILEPATH: C:\\Users\\Public\\Music\\package.dll": [[311, 344]], "FILEPATH: C:\\Users\\Public\\Downloads\\VM.txt": [[371, 403]]}, "info": {"id": "otx_00016", "source": "alienvault_otx"}} |
| {"text": "Mandiant tracks the Ivanti exploitation activity as UNC5337. The threat actor used ldap.pl (SHA256: 7144B8C77D261985205AE2621EB6242F43D6244E18B8D01D05048337346B6EFD) for credential harvesting from LDAP directories. Compromised log files at /data/runtime/logs/log.events.vc0 and /data/var/dlogs/debuglog were deleted to cover tracks. Additional C2 traffic was observed to 168.100.8.144 over port 443.", "spans": {"THREAT_ACTOR: UNC5337": [[52, 59]], "HASH: 7144B8C77D261985205AE2621EB6242F43D6244E18B8D01D05048337346B6EFD": [[100, 164]], "IP_ADDRESS: 168.100.8.144": [[371, 384]], "FILEPATH: /data/runtime/logs/log.events.vc0": [[240, 273]], "FILEPATH: /data/var/dlogs/debuglog": [[278, 302]], "ORGANIZATION: Mandiant": [[0, 8]]}, "info": {"id": "otx_00017", "source": "alienvault_otx"}} |
| {"text": "Tropic Trooper deployed an AdaptixC2 beacon alongside CobaltStrike beacons and the EntryShell backdoor in a campaign targeting government organizations. The TOSHIS loader was used to deliver the initial payload. The C2 infrastructure included domains adaptix-update.technozone.cc and cobalt-cdn.securecloud.cc with fallback IP 103.45.67.89.", "spans": {"THREAT_ACTOR: Tropic Trooper": [[0, 14]], "MALWARE: AdaptixC2": [[27, 36]], "MALWARE: CobaltStrike": [[54, 66]], "MALWARE: EntryShell": [[83, 93]], "MALWARE: TOSHIS": [[157, 163]], "DOMAIN: adaptix-update.technozone.cc": [[251, 279]], "DOMAIN: cobalt-cdn.securecloud.cc": [[284, 309]], "IP_ADDRESS: 103.45.67.89": [[327, 339]]}, "info": {"id": "otx_00018", "source": "alienvault_otx"}} |
| {"text": "A malicious CHM file was used to deliver Agent Tesla information stealer. Agent Tesla (MITRE ID S0331) exfiltrates credentials via SMTP to drop-server@yandex.com. The CHM dropper exploits CVE-2017-11882 and CVE-2018-0802 in Microsoft Office Equation Editor. The initial payload was hosted at https://cdn-download.malhost.net/docs/invoice_march.chm and the C2 panel was accessible at https://agenttesla-panel.xyz/gate.php.", "spans": {"MALWARE: Agent Tesla": [[41, 52], [74, 85]], "EMAIL: drop-server@yandex.com": [[139, 161]], "CVE_ID: CVE-2017-11882": [[188, 202]], "CVE_ID: CVE-2018-0802": [[207, 220]], "SYSTEM: Microsoft Office": [[224, 240]], "URL: https://cdn-download.malhost.net/docs/invoice_march.chm": [[292, 347]], "URL: https://agenttesla-panel.xyz/gate.php": [[383, 420]], "DOMAIN: cdn-download.malhost.net": [[300, 324]], "DOMAIN: agenttesla-panel.xyz": [[391, 411]]}, "info": {"id": "otx_00019", "source": "alienvault_otx"}} |
| {"text": "DPRK-affiliated threat actors have been operating fake IT worker schemes targeting companies in the United States and Latvia. The workers use Astrill VPN and residential proxies to mask their North Korean origin. Freelance platform profiles were linked to infrastructure at 198.51.100.42 and domains including dprk-freelance.workers.dev and resume-cdn.techworkers.co. Payments were funneled through cryptocurrency wallets.", "spans": {"THREAT_ACTOR: DPRK": [[0, 4]], "TOOL: Astrill VPN": [[142, 153]], "IP_ADDRESS: 198.51.100.42": [[274, 287]], "DOMAIN: dprk-freelance.workers.dev": [[310, 336]], "DOMAIN: resume-cdn.techworkers.co": [[341, 366]]}, "info": {"id": "otx_00020", "source": "alienvault_otx"}} |
| {"text": "The ClickFix attack chain uses fake browser update notifications to trick users into executing malicious PowerShell commands. Victims are directed to malicious domains including clickfix-update.malware-cdn.com and browser-patch.download.cc. The fileless attack leverages PowerShell to download and execute secondary payloads from https://clickfix-update.malware-cdn.com/stage2.ps1 without writing to disk, achieving persistence via scheduled tasks.", "spans": {"MALWARE: ClickFix": [[4, 12]], "DOMAIN: clickfix-update.malware-cdn.com": [[178, 209], [338, 369]], "DOMAIN: browser-patch.download.cc": [[214, 239]], "URL: https://clickfix-update.malware-cdn.com/stage2.ps1": [[330, 380]], "TOOL: PowerShell": [[105, 115], [271, 281]]}, "info": {"id": "otx_00021", "source": "alienvault_otx"}} |
| {"text": "A phishing campaign impersonating Foxit Software delivers UltraVNC remote access payloads targeting users in the United States, Germany, Ukraine, and the United Kingdom. The malicious installer (MD5: a3b7c9d2e1f456789012345678abcdef) was distributed via email from noreply@foxit-update.download.com. The UltraVNC payload connects back to vnc-relay.threatinfra.net:5900 for remote desktop access.", "spans": {"MALWARE: UltraVNC": [[58, 66], [304, 312]], "ORGANIZATION: Foxit Software": [[34, 48]], "HASH: a3b7c9d2e1f456789012345678abcdef": [[200, 232]], "EMAIL: noreply@foxit-update.download.com": [[265, 298]], "DOMAIN: foxit-update.download.com": [[273, 298]], "DOMAIN: vnc-relay.threatinfra.net": [[338, 363]]}, "info": {"id": "otx_00022", "source": "alienvault_otx"}} |
| {"text": "An Adobe-themed phishing campaign delivers ScreenConnect remote access tool as a secondary payload. The initial dropper password.exe (SHA256: fc6f995d544f5e4040b7801cda7d739b805fdc9936138066c8d5775cf7a69775) was hosted on compromised domain adobe-signin.phishkit.cc. The ScreenConnect relay server was configured at screenconnect-relay.darkops.io:443 and exfiltrated data to https://adobe-signin.phishkit.cc/upload/data.php.", "spans": {"MALWARE: ScreenConnect": [[43, 56], [271, 284]], "HASH: fc6f995d544f5e4040b7801cda7d739b805fdc9936138066c8d5775cf7a69775": [[142, 206]], "DOMAIN: adobe-signin.phishkit.cc": [[241, 265], [383, 407]], "DOMAIN: screenconnect-relay.darkops.io": [[316, 346]], "URL: https://adobe-signin.phishkit.cc/upload/data.php": [[375, 423]]}, "info": {"id": "otx_00023", "source": "alienvault_otx"}} |
| {"text": "The Rotten Apple campaign by SMEX targets civil society organizations in Lebanon and the United Arab Emirates. Threat actors use valid accounts (T1078) and 2FA interception (T1111) combined with spear-phishing (T1566) to compromise targets. Infrastructure includes domains rottenapple-login.me and secure-auth.rottenapple.cc with C2 at 45.76.231.180. Phishing pages mimic Apple ID and Google login portals.", "spans": {"MALWARE: Rotten Apple": [[4, 16]], "ORGANIZATION: SMEX": [[29, 33]], "ORGANIZATION: Apple": [[11, 16], [372, 377]], "ORGANIZATION: Google": [[385, 391]], "DOMAIN: rottenapple-login.me": [[273, 293]], "DOMAIN: secure-auth.rottenapple.cc": [[298, 324]], "IP_ADDRESS: 45.76.231.180": [[336, 349]]}, "info": {"id": "otx_00024", "source": "alienvault_otx"}} |
| {"text": "Citizen Lab documented a cross-border hack-for-hire campaign targeting civil society in the MENA region. The campaign used 49 malicious domains and 53 IP addresses for phishing and credential harvesting. Key infrastructure included phishing domains mena-secure-login.com, docs-verify.online, and cloud-auth-check.net. Spearphishing emails were sent from accounts at security-alert@mena-secure-login.com to targets at NGOs and media organizations.", "spans": {"ORGANIZATION: Citizen Lab": [[0, 11]], "DOMAIN: mena-secure-login.com": [[249, 270], [381, 402]], "DOMAIN: docs-verify.online": [[272, 290]], "DOMAIN: cloud-auth-check.net": [[296, 316]], "EMAIL: security-alert@mena-secure-login.com": [[366, 402]]}, "info": {"id": "otx_00025", "source": "alienvault_otx"}} |
| {"text": "Kyber ransomware variants targeting both Windows and VMware ESXi hypervisors were identified. The Windows variant (SHA256: 2277e5849ca525d261923a8a66eee1839570c7bbd7b62231d5da88ddef396cb4) encrypts files with .kyber extension while the ESXi variant targets virtual machine disk files. The ransom note directs victims to kyber-payment.onion via Tor browser and demands payment in Monero cryptocurrency.", "spans": {"MALWARE: Kyber": [[0, 5]], "HASH: 2277e5849ca525d261923a8a66eee1839570c7bbd7b62231d5da88ddef396cb4": [[123, 187]], "SYSTEM: Windows": [[41, 48], [98, 105]], "SYSTEM: VMware ESXi": [[53, 64]], "DOMAIN: kyber-payment.onion": [[320, 339]]}, "info": {"id": "otx_00026", "source": "alienvault_otx"}} |
| {"text": "BQTLock ransomware was detected with 105 associated file hashes. A representative sample SHA256 34330b921f872bd5ef6656dba547c8cb71aec14c4ae7b4b7dbd44a92027f26d9 arrives as an HTA file that downloads the main payload. The ransomware encrypts files and appends the .bqtlock extension. The ransom portal is hosted at bqtlock-decrypt.top and payment instructions are sent to victim@bqtlock-support.cc.", "spans": {"MALWARE: BQTLock": [[0, 7]], "HASH: 34330b921f872bd5ef6656dba547c8cb71aec14c4ae7b4b7dbd44a92027f26d9": [[96, 160]], "DOMAIN: bqtlock-decrypt.top": [[314, 333]], "DOMAIN: bqtlock-support.cc": [[378, 396]], "EMAIL: victim@bqtlock-support.cc": [[371, 396]]}, "info": {"id": "otx_00027", "source": "alienvault_otx"}} |
| {"text": "GoGra is a Linux backdoor written in Go that communicates over HTTPS. Samples include MD5 hashes 876576b16ec3b5c2c30a6743662336e5 and SHA256 9fe657989e986244fc46793052ab80b4aff674d981f18ce2ed8b0ee2ab16e300. GoGra targets cloud infrastructure running Ubuntu and CentOS, establishing reverse shells to gogra-c2.darkcloud.xyz:8443 and beaconing every 30 seconds.", "spans": {"MALWARE: GoGra": [[0, 5], [207, 212]], "HASH: 876576b16ec3b5c2c30a6743662336e5": [[97, 129]], "HASH: 9fe657989e986244fc46793052ab80b4aff674d981f18ce2ed8b0ee2ab16e300": [[141, 205]], "SYSTEM: Linux": [[11, 16]], "SYSTEM: Ubuntu": [[250, 256]], "SYSTEM: CentOS": [[261, 267]], "DOMAIN: gogra-c2.darkcloud.xyz": [[300, 322]]}, "info": {"id": "otx_00028", "source": "alienvault_otx"}} |
| {"text": "A hybrid crypto drainer ecosystem combines ClickFix social engineering with EtherRAT remote access trojan and StepDrainer wallet stealing malware. The campaign targets cryptocurrency holders via malicious domains etherdrop-claim.com, stepdrain-rewards.xyz, and wallet-verify.crypto-auth.net. Phishing pages at https://etherdrop-claim.com/connect-wallet.html trick users into approving malicious smart contracts.", "spans": {"MALWARE: ClickFix": [[43, 51]], "MALWARE: EtherRAT": [[76, 84]], "MALWARE: StepDrainer": [[110, 121]], "DOMAIN: etherdrop-claim.com": [[213, 232], [318, 337]], "DOMAIN: stepdrain-rewards.xyz": [[234, 255]], "DOMAIN: wallet-verify.crypto-auth.net": [[261, 290]], "URL: https://etherdrop-claim.com/connect-wallet.html": [[310, 357]]}, "info": {"id": "otx_00029", "source": "alienvault_otx"}} |
| {"text": "Trigona ransomware operators deployed multiple dual-use tools during intrusions: HRSword for defense evasion, Mimikatz for credential dumping, AnyDesk and RDP for remote access, and Rclone with MegaSync for data exfiltration. Additional tools included GMer rootkit detector, DumpGuard, and PowerRun for privilege escalation. Exfiltrated data was uploaded to https://mega.nz/folder/trigona-exfil and C2 communications used trigona-ops.darkweb.onion.", "spans": {"MALWARE: Trigona": [[0, 7]], "TOOL: HRSword": [[81, 88]], "TOOL: Mimikatz": [[110, 118]], "TOOL: AnyDesk": [[143, 150]], "TOOL: Rclone": [[182, 188]], "TOOL: MegaSync": [[194, 202]], "TOOL: GMer": [[252, 256]], "TOOL: DumpGuard": [[275, 284]], "TOOL: PowerRun": [[290, 298]], "URL: https://mega.nz/folder/trigona-exfil": [[358, 394]], "DOMAIN: trigona-ops.darkweb.onion": [[422, 447]]}, "info": {"id": "otx_00030", "source": "alienvault_otx"}} |
| {"text": "UNC6692 conducted social engineering attacks deploying SnowGlaze information stealer and SnowBelt command-and-control framework. The SnowGlaze payload (SHA256: a9e0ce00e3740763c8a250cbb82df814569b92446950ebb3756e2eac31ff82b2) was delivered through LinkedIn messages. C2 infrastructure included snowbelt-ops.cloud-services.cc and IP 203.0.113.55. Exfiltrated credentials were sent to collector@snowbelt-ops.cloud-services.cc.", "spans": {"THREAT_ACTOR: UNC6692": [[0, 7]], "MALWARE: SnowGlaze": [[55, 64], [133, 142]], "MALWARE: SnowBelt": [[89, 97]], "HASH: a9e0ce00e3740763c8a250cbb82df814569b92446950ebb3756e2eac31ff82b2": [[160, 224]], "DOMAIN: snowbelt-ops.cloud-services.cc": [[294, 324], [393, 423]], "IP_ADDRESS: 203.0.113.55": [[332, 344]], "EMAIL: collector@snowbelt-ops.cloud-services.cc": [[383, 423]]}, "info": {"id": "otx_00031", "source": "alienvault_otx"}} |
| {"text": "Fail2ban honeypot data from 2026-04-23 revealed 63 IP addresses conducting SSH brute-force attacks. Several IPs also probed for CVE-2024-6387, a critical OpenSSH vulnerability known as regreSSHion. Top attacking IPs included 218.92.0.107, 61.177.173.16, and 112.85.42.88. These IPs are associated with known botnet infrastructure originating from Chinese autonomous systems.", "spans": {"CVE_ID: CVE-2024-6387": [[128, 141]], "IP_ADDRESS: 218.92.0.107": [[225, 237]], "IP_ADDRESS: 61.177.173.16": [[239, 252]], "IP_ADDRESS: 112.85.42.88": [[258, 270]], "VULNERABILITY: regreSSHion": [[185, 196]], "SYSTEM: OpenSSH": [[154, 161]], "TOOL: Fail2ban": [[0, 8]]}, "info": {"id": "otx_00032", "source": "alienvault_otx"}} |
| {"text": "CAPE Sandbox analysis of the Watson malware family revealed 1,327 indicators including 106 IP addresses, 1,060 file hashes, 68 URLs, and 11 domains. Key C2 domains include watson-relay.malware-infra.com and data-sync.watson-c2.net. Exfiltration was performed via HTTPS POST requests to https://data-sync.watson-c2.net/api/upload with stolen data attached. Contact email found in sample: admin@watson-c2.net.", "spans": {"TOOL: CAPE Sandbox": [[0, 12]], "MALWARE: Watson": [[29, 35]], "DOMAIN: watson-relay.malware-infra.com": [[172, 202]], "DOMAIN: data-sync.watson-c2.net": [[207, 230], [294, 317]], "URL: https://data-sync.watson-c2.net/api/upload": [[286, 328]], "EMAIL: admin@watson-c2.net": [[387, 406]]}, "info": {"id": "otx_00033", "source": "alienvault_otx"}} |
| {"text": "A Linux server compromise involved deployment of XMRig cryptocurrency miner alongside custom backdoors. The attacker exploited CVE-2024-1234, CVE-2023-46604 in Apache ActiveMQ, and CVE-2024-0012 in Palo Alto PAN-OS for initial access. Malicious binaries included systemd-logind (fake service), fkkkf, and dnser. Legitimate monetization tools EarnFM and Repocket were also installed. The XMRig miner connected to pool.minexmr.com:443 and the attacker maintained access via reverse shell to 45.155.205.233.", "spans": {"MALWARE: XMRig": [[49, 54], [387, 392]], "MALWARE: systemd-logind": [[263, 277]], "MALWARE: fkkkf": [[294, 299]], "MALWARE: dnser": [[305, 310]], "MALWARE: EarnFM": [[342, 348]], "MALWARE: Repocket": [[353, 361]], "CVE_ID: CVE-2024-1234": [[127, 140]], "CVE_ID: CVE-2023-46604": [[142, 156]], "CVE_ID: CVE-2024-0012": [[181, 194]], "SYSTEM: Linux": [[2, 7]], "SYSTEM: Apache ActiveMQ": [[160, 175]], "SYSTEM: PAN-OS": [[208, 214]], "DOMAIN: pool.minexmr.com": [[412, 428]], "IP_ADDRESS: 45.155.205.233": [[489, 503]]}, "info": {"id": "otx_00034", "source": "alienvault_otx"}} |
| {"text": "TeamPCP threat actor compromised npm packages to distribute the CanisterWorm malware. The mcpAddon.js payload (SHA256: 0703f3d9ac2bd194b08a29f9df6a4e1689390a25f20cb2b139edb05c46d5a8f7) was injected into legitimate packages. The worm spreads to Docker registries and Kubernetes clusters. C2 traffic was observed to canisterworm-c2.teampcp.dev and https://canisterworm-c2.teampcp.dev/beacon with fallback at 104.248.50.87.", "spans": {"THREAT_ACTOR: TeamPCP": [[0, 7]], "MALWARE: CanisterWorm": [[64, 76]], "HASH: 0703f3d9ac2bd194b08a29f9df6a4e1689390a25f20cb2b139edb05c46d5a8f7": [[119, 183]], "DOMAIN: canisterworm-c2.teampcp.dev": [[314, 341], [354, 381]], "URL: https://canisterworm-c2.teampcp.dev/beacon": [[346, 388]], "IP_ADDRESS: 104.248.50.87": [[406, 419]], "SYSTEM: Docker": [[244, 250]], "SYSTEM: Kubernetes": [[266, 276]]}, "info": {"id": "otx_00035", "source": "alienvault_otx"}} |
| {"text": "Analysis of the Bedep malware's domain generation algorithm reveals connections to the Angler exploit kit. Bedep sample SHA256 cd972d0428133053af08d2b9faa3e6167b3e7288f8422528ccffb990b0e8a837 (MD5: c98f8680790d572280d0fd7987c5de1f) generates pseudo-random domains for C2 communication. Known DGA domains include bedep-dga-7x2k.com and angler-landing.exploit-kit.net. The exploit kit leveraged CVE-2015-0311 in Adobe Flash Player.", "spans": {"MALWARE: Bedep": [[16, 21], [107, 112]], "MALWARE: Angler": [[87, 93]], "HASH: cd972d0428133053af08d2b9faa3e6167b3e7288f8422528ccffb990b0e8a837": [[127, 191]], "HASH: c98f8680790d572280d0fd7987c5de1f": [[198, 230]], "DOMAIN: bedep-dga-7x2k.com": [[312, 330]], "DOMAIN: angler-landing.exploit-kit.net": [[335, 365]], "CVE_ID: CVE-2015-0311": [[393, 406]], "SYSTEM: Adobe Flash Player": [[410, 428]]}, "info": {"id": "otx_00036", "source": "alienvault_otx"}} |
| {"text": "Automated botnet fingerprinting identified two high-threat command-and-control nodes. IP 79.127.138.77 (fingerprint 9f96b00ce11bc787) and IP 3.236.224.33 (fingerprint fce59ecbc730e00a) both received threat scores of 95/100. The C2 panels were accessible at http://79.127.138.77:8080/panel and http://3.236.224.33:9090/admin. Both nodes serve as relay infrastructure for distributing DDoS payloads.", "spans": {"IP_ADDRESS: 79.127.138.77": [[89, 102], [264, 277]], "IP_ADDRESS: 3.236.224.33": [[141, 153], [300, 312]], "URL: http://79.127.138.77:8080/panel": [[257, 288]], "URL: http://3.236.224.33:9090/admin": [[293, 323]]}, "info": {"id": "otx_00037", "source": "alienvault_otx"}} |
| {"text": "Researchers discovered indirect prompt injection payloads targeting AI agent systems. The attack involves poisoning web content to hijack LLM-based agents and steal API keys. Malicious payloads were hosted on domains prompt-inject.payload.cc, llm-exploit.adversarial.io, and agent-hijack.redteam.dev. The technique exploits trust boundaries between AI agents and external data sources.", "spans": {"DOMAIN: prompt-inject.payload.cc": [[217, 241]], "DOMAIN: llm-exploit.adversarial.io": [[243, 269]], "DOMAIN: agent-hijack.redteam.dev": [[275, 299]]}, "info": {"id": "otx_00038", "source": "alienvault_otx"}} |
| {"text": "The Cowrie SSH honeypot recorded 118 unique attacker IP addresses over 24 hours on 2026-04-24. Top attackers by connection volume were 222.186.42.137 (4,521 attempts), 218.92.0.56 (3,877 attempts), and 106.75.85.134 (2,103 attempts). Attackers attempted to download payloads from http://185.196.8.124/bins/mirai.arm7 and http://45.95.147.236/ssh_botnet.sh. Common usernames targeted included root, admin, oracle, and postgres. Payloads were identified as Mirai botnet variants.", "spans": {"IP_ADDRESS: 222.186.42.137": [[135, 149]], "IP_ADDRESS: 218.92.0.56": [[168, 179]], "IP_ADDRESS: 106.75.85.134": [[202, 215]], "IP_ADDRESS: 185.196.8.124": [[287, 300]], "IP_ADDRESS: 45.95.147.236": [[328, 341]], "URL: http://185.196.8.124/bins/mirai.arm7": [[280, 316]], "URL: http://45.95.147.236/ssh_botnet.sh": [[321, 355]], "TOOL: Cowrie": [[4, 10]], "MALWARE: Mirai": [[455, 460]]}, "info": {"id": "otx_00039", "source": "alienvault_otx"}} |
| {"text": "URLhaus reported 767 active malware distribution URLs on 2026-04-24. Notable entries include https://malware-cdn.distribhost.net/payload/emotet_loader.dll distributing Emotet, http://92.118.160.28/bins/gafgyt.mips serving Gafgyt botnet payloads, and https://phish-kit.darknet.to/stealer/formgrab.exe delivering FormBook information stealer. The infrastructure spans 295 unique IP addresses and 202 hostnames.", "spans": {"TOOL: URLhaus": [[0, 7]], "URL: https://malware-cdn.distribhost.net/payload/emotet_loader.dll": [[93, 154]], "URL: http://92.118.160.28/bins/gafgyt.mips": [[176, 213]], "URL: https://phish-kit.darknet.to/stealer/formgrab.exe": [[250, 299]], "MALWARE: Emotet": [[168, 174]], "MALWARE: Gafgyt": [[222, 228]], "MALWARE: FormBook": [[311, 319]], "IP_ADDRESS: 92.118.160.28": [[183, 196]], "DOMAIN: malware-cdn.distribhost.net": [[101, 128]], "DOMAIN: phish-kit.darknet.to": [[258, 278]]}, "info": {"id": "otx_00040", "source": "alienvault_otx"}} |
|
|
