{ "id": "e3a5d37e-c3f8-4778-a2cf-46b3f3853be6", "created_at": "2026-04-06T00:20:10.038349Z", "updated_at": "2026-04-10T13:12:53.448679Z", "deleted_at": null, "sha1_hash": "0124eaf767d4201fd5b7a205893296bcb1e95754", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 381022, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy Arek-BTC\r\nArchived: 2026-04-05 15:45:26 UTC\r\nsdfzsdf.ele fac1ec40eea5a4fc05f17e019328e287\r\nFileHash-MD5: 28 | FileHash-SHA1: 27 | FileHash-SHA256: 1077 | URL: 1092 | YARA: 535 | Domain: 282 |\r\nEmail: 4 | Hostname: 316\r\nSHA1- 33008f85428a83996083c3da92a8f00595071403 SHA256\r\ncdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf\r\nhttps://sandbox.ti.qianxin.com/sandbox/page/detail?type=file\u0026id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4\r\nhttps://ti.qianxin.com/v2/search?type=file\u0026value=fac1ec40eea5a4fc05f17e019328e287\r\nhttps://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations\r\n122 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 1 of 16\n\ndfirfanatic_IOC's\r\nCVE: 11 | FileHash-MD5: 3 | FileHash-SHA1: 3 | FileHash-SHA256: 6 | URL: 20 | Domain: 39 | Hostname: 12\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 2 of 16\n\n51.15.98.45 51.15.115.141 51.15.44.6 107.23.39.208 154.38.185.108 139.59.30.78 139.59.30.78 141.98.11.168\r\n195.164.49.68 152.39.227.27 212.56.53.90 159.65.231.167 195.154.208.101 195.154.208.99 163.172.77.100\r\n47.84.83.221 104.28.211.187 152.42.211.173 174.138.17.185 209.146.60.235 45.9.148.131 2a0e:fa00:0:25::1\r\n178.128.208.31 157.66.55.50 178.128.208.31 104.28.211.187 13.76.244.181 201.46.112.135 118.41.203.50\r\n51.75.126.7 188.166.163.12 195.242.212.198 93.123.109.246 152.32.129.236\r\n1 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 3 of 16\n\n161 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 4 of 16\n\nAPT36 - In the Wake of Pahalgam Attack \u0026 Operation Sindhoor\r\nCVE: 1 | FileHash-MD5: 31 | FileHash-SHA1: 29 | FileHash-SHA256: 31 | URL: 23 | Domain: 28 | Email: 1 |\r\nHostname: 25\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 5 of 16\n\nThis is a collection of IOCs, I was able to collect from various sources which are related to the recent India-Pakistan\r\nclashes and cyber operations taking place.\r\n50 Subscribers\r\nPolymodXT.exe\r\nFileHash-MD5: 414 | FileHash-SHA1: 410 | FileHash-SHA256: 1940 | URL: 171 | YARA: 759 | Domain: 134 |\r\nEmail: 4 | Hostname: 56\r\n122 Subscribers\r\nSvchost id: 16c37b52-b141-42a5-a3ea-bbe098444397\r\nFileHash-MD5: 39 | FileHash-SHA1: 28 | FileHash-SHA256: 1065 | URL: 984 | YARA: 535 | Domain: 262 |\r\nEmail: 4 | Hostname: 316\r\nThe following rules for the Windows.Trojan.Tofsee malware have been revealed by the BBC's Panorama programme\r\nand are subject to a review by BBC Newsnight and BBC Radio 5 live.\r\n122 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 6 of 16\n\nSnowblind: The Invisible Hand of Secret Blizzard\r\nA Russian-based threat actor, Secret Blizzard, has infiltrated 33 command-and-control nodes of a Pakistani-based\r\nactor, Storm-0156. Over two years, Secret Blizzard leveraged this access to deploy malware into Afghan government\r\nnetworks and potentially acquired data from Pakistani operators' workstations. They expanded their focus to include\r\ntwo other malware families, Waiscot and CrimsonRAT, used against Indian targets. The campaign demonstrates\r\nSecret Blizzard's meticulous approach to expanding operations in the Middle East, exploiting other actors'\r\ninfrastructure to avoid attribution and gain sensitive information. This strategy allows them to remotely acquire data\r\nwithout exposing their own tools, taking advantage of the foothold created by the original threat actor.\r\n373,939 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 7 of 16\n\n35 Subscribers\r\nAuthor Url\r\n841 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 8 of 16\n\n181 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 9 of 16\n\n258 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 10 of 16\n\nVajraSpy RAT IOCs - SEC-1275-1\r\nFileHash-MD5: 8 | FileHash-SHA1: 13 | FileHash-SHA256: 8\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 11 of 16\n\nSearch for the VajraSpy RAT IOCs, £1.2m, on Google's Android platform, and on the Google Play app, as well as\r\nfor ESET.\r\n34 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 12 of 16\n\n41 Subscribers\r\nAuthor Url\r\n841 Subscribers\r\nAuthor Url\r\n841 Subscribers\r\nCapraTube | Transparent Tribe’s CapraRAT Mimics YouTube to Hijack Android Phones\r\nFileHash-MD5: 2 | FileHash-SHA1: 3 | FileHash-SHA256: 2 | Domain: 3\r\nTransparent Tribe is a suspected Pakistani actor known for targeting military and diplomatic personnel in both India\r\nand Pakistan, with a more recent expansion to the Indian Education sector. Since 2018, reports have detailed the\r\ngroup’s use of what is now called CapraRAT, an Android framework that hides RAT features inside of another\r\napplication. The toolset has been used for surveillance against spear-phishing targets privy to affairs involving the\r\ndisputed region of Kashmir, as well as human rights activists working on matters related to Pakistan.\r\n373,939 Subscribers\r\nAuthor Url\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 13 of 16\n\n841 Subscribers\r\n258 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 14 of 16\n\n181 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 15 of 16\n\n181 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT\r\nPage 16 of 16\n\ndfirfanatic_IOC's https://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT \nCVE: 11 | FileHash-MD5: 3 | FileHash-SHA1: 3 | FileHash-SHA256: 6 | URL: 20 | Domain: 39 | Hostname: 12\n Page 2 of 16 \n\nVajraSpy RAT IOCs - SEC-1275-1 https://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT \nFileHash-MD5: 8 | FileHash-SHA1: 13 | FileHash-SHA256: 8\n Page 11 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:CrimsonRAT" ], "report_names": [ "pulses?q=tag:CrimsonRAT" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434810, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0124eaf767d4201fd5b7a205893296bcb1e95754.pdf", "text": "https://archive.orkl.eu/0124eaf767d4201fd5b7a205893296bcb1e95754.txt", "img": "https://archive.orkl.eu/0124eaf767d4201fd5b7a205893296bcb1e95754.jpg" } }