{ "id": "cb995614-d3a7-4fa1-a37c-0e3b5e1493a4", "created_at": "2026-04-06T00:08:00.287514Z", "updated_at": "2026-04-10T03:37:37.015107Z", "deleted_at": null, "sha1_hash": "235e18bb0a1205a28cc7be7b679f22667a1cbeb5", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 407835, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy PetrP.73\r\nArchived: 2026-04-05 17:00:55 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 1 of 18\n\nClickFix Resurgence in 2026: Matanbuchus 3.0 and AstarionRAT Drive Advanced Multi-Stage\r\nIntrusion Campaign\r\nFileHash-SHA256: 8 | URL: 2 | Domain: 4 | Hostname: 1\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 2 of 18\n\nIn February 2026, a targeted intrusion by the Huntress Tactical Response team highlighted a resurgence of the\r\nClickFix infection method, which exploits social engineering tactics to manipulate users into executing malicious\r\ncommands. This technique had become a primary vector for initial access, favored by both cybercriminals and\r\nnation-state actors throughout 2025. The ClickFix method bypasses conventional security protocols by turning\r\nusers into unwitting spreaders of malware. A notable combination unveiled during the incident was that of\r\nClickFix and Matanbuchus 3.0, the latter of which re-emerged after a brief pause in May 2025. Matanbuchus is\r\nintroduced through ClickFix's prompts and uses silent MSI installations as part of its intricate execution chain.\r\n161 Subscribers\r\n174 Subscribers\r\nDanaBot\r\nFileHash-MD5: 27 | FileHash-SHA1: 27 | FileHash-SHA256: 95 | Domain: 50 | Hostname: 1\r\n174 Subscribers\r\n1,584 Subscribers\r\n1,584 Subscribers\r\n1,584 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 3 of 18\n\n1,584 Subscribers\r\nInteresting | OTC AlienVault.com connection issues for me | alienvault.io =404 |\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 4 of 18\n\nFileHash-SHA256: 11 | Domain: 3 | Hostname: 1\r\nFound on a victims devices. Targets abused in an unethical manner by andvesarial entities. Waged against targets\r\nsuch as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and\r\ngovernment sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law\r\nenforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for\r\ncriminal investigations. It helps uncover critical information from digital devices, even recovering data that users\r\nthought was permanently deleted. Controversy \u0026 Privacy Concerns While marketed as a tool for lawful\r\ninvestigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.\r\n134 Subscribers\r\nDanabot\r\nFileHash-MD5: 200 | FileHash-SHA1: 200 | FileHash-SHA256: 1000\r\n174 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 5 of 18\n\nCross-Chain TxDataHiding Crypto Heist: A Very Chainful Process.\r\nFileHash-MD5: 3 | FileHash-SHA1: 2 | FileHash-SHA256: 20 | URL: 3 | Domain: 1 | Hostname: 1\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 6 of 18\n\nIn September 2025, an investigation by Ransom-ISAC into a sophisticated breach linked to North Korean threat\r\nactors uncovered a multi-layered attack targeting cryptocurrency and data theft through a weaponized GitHub\r\nrepository. Initially identified as a phishing campaign, the operation utilized blockchain-based command-and-control (C2) infrastructures paired with cross-platform malware that affected development environments on a\r\nwide scale. The attack leveraged two primary types of C2 channels: a Python dropper utilizing an HTTP API over\r\nport 27017 and a Loader/RAT employing both HTTP API and http://Socket.IO channels over ports 27017 and 443.\r\nEach C2 channel exhibited distinctive characteristics, including specific HTTP header configurations tailored to\r\nmaintain covert communication and server persistence. For instance, the Keep-Alive header was configured to\r\nensure timely requests from victims, ultimately aiding in the communication interval with the C2 server.\r\n161 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 7 of 18\n\nDanabot Malware Reemerges with Version 669 After Operation Endgame\r\nBitcoinAddress: 1 | URL: 1\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 8 of 18\n\nDanabot, a banking malware, has resurfaced with its new version 669 following the disruption caused by\r\nOperation Endgame in May 2025. This marks a notable return for the malware, which had been relatively inactive\r\nfor nearly six months. The refreshed activity suggests that the threat actors behind Danabot have adapted and\r\nevolved their strategies, continuing to pose significant risks to organizations. Recent observations by security\r\nresearchers reveal the deployment of multiple new command-and-control (C2) servers. This diversification in\r\ninfrastructure indicates a calculated effort by the threat actors to enhance their operational resilience and evade\r\ndetection, thereby strengthening their capability to orchestrate cyber attacks.\r\n161 Subscribers\r\n1,584 Subscribers\r\n410 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 9 of 18\n\nRemote access, real cargo: cybercriminals targeting trucking and logistics\r\nFileHash-MD5: 1 | FileHash-SHA1: 1 | FileHash-SHA256: 6 | URL: 1 | Domain: 29 | Hostname: 2\r\nCybercriminals are targeting trucking and logistics companies to steal cargo freight through elaborate attack\r\nchains. They compromise companies and use their access to bid on cargo shipments, which they then steal and\r\nsell. The threat actors typically deliver remote monitoring and management (RMM) tools as a first-stage payload.\r\nThis cyber-enabled theft is part of a multi-million-dollar criminal enterprise that has increased due to digital\r\ntransformation. The attackers use tactics such as compromising load boards, email thread hijacking, and direct\r\ntargeting via email campaigns. They deliver RMM tools like ScreenConnect, SimpleHelp, and PDQ Connect,\r\nwhich grant full control of compromised machines. The activity has been observed since at least June 2025, with\r\nnearly two dozen campaigns in the last two months alone.\r\n373,947 Subscribers\r\n54 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 10 of 18\n\nDark Covenant 3.0: Controlled Impunity and Russias Cybercriminals.\r\nURL: 1 | Domain: 3 | Email: 4\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 11 of 18\n\nThe Russian cybercrime landscape is currently undergoing significant changes due to intensified international law\r\nenforcement operations, notably Operation Endgame, which commenced in May 2024. This initiative targets key\r\nelements of the ransomware ecosystem, including operators, money laundering services, and related\r\ninfrastructures within Russia. Historically, Russia has maintained a non-interference stance on domestic\r\ncybercrime; however, recent enforcement actions signal a notable shift towards increased state management of\r\ncybercriminal activities.\r\n161 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 12 of 18\n\nThreat Actor Profile: Interlock Ransomware.\r\nCVE: 2 | FileHash-MD5: 11 | FileHash-SHA1: 14 | FileHash-SHA256: 11 | URL: 1 | Domain: 2\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 13 of 18\n\nInterlock (aka Nefarious Mantis) is an opportunistic ransomware operator first observed September 2024 and\r\nactive across North America and Europe through 2025, targeting education, healthcare, technology, government,\r\nand other sectors. Law enforcement advisories (CISA/FBI) in mid-2025 noted upgrades to Interlock tooling,\r\nincluding encryptors for both Windows and Linux and capability to encrypt virtual machines.\r\n161 Subscribers\r\nAuthor Url\r\n841 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 14 of 18\n\nSteam games abused to deliver malware once again.\r\nFileHash-MD5: 2 | FileHash-SHA1: 2 | FileHash-SHA256: 4 | URL: 20 | Domain: 2\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 15 of 18\n\nThe cybercriminal known as EncryptHub, also referred to as Larva-208, has exploited the online gaming platform\r\nSteam to distribute information-stealing malware. The method involved embedding malicious files within the\r\ngame files of Chemia, an adventure survival game that is currently in early access on Steam. As of July 22, 2025,\r\nEncryptHub introduced a Trojan downloader into Chemia, which operates adjacent to the legitimate game\r\napplication. This downloader maintains persistence on the infected systems and subsequently disseminates various\r\ntypes of malware, specifically Fickle Stealer, HijackLoader, and Vidar.\r\n161 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 16 of 18\n\nBladedFeline: Unmasking the Iran-Aligned Cyberespionage Group\r\nFileHash-MD5: 2 | FileHash-SHA1: 2 | FileHash-SHA256: 2 | URL: 5 | Domain: 5 | Hostname: 5\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 17 of 18\n\nDive into ESET's comprehensive analysis of BladedFeline, an Iran-aligned APT group with likely ties to OilRig.\r\nThis report uncovers the group's sophisticated cyberespionage operations targeting Kurdish and Iraqi government\r\nofficials. Learn about their advanced tools, including the Whisper backdoor and PrimeCache IIS module, and their\r\npersistent efforts to maintain access to high-ranking officials.\r\n161 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DanaBot\r\nPage 18 of 18\n\nClickFix Resurgence Intrusion Campaign in 2026: Matanbuchus 3.0 and AstarionRAT Drive Advanced Multi-Stage\nFileHash-SHA256: 8 | URL: 2 | Domain: 4 | Hostname: 1\n Page 2 of 18\n\nCross-Chain TxDataHiding https://otx.alienvault.com/browse/pulses?q=tag:DanaBot Crypto Heist: A Very Chainful Process. \nFileHash-MD5: 3 | FileHash-SHA1: 2 | FileHash-SHA256: 20 | URL: 3 | Domain: 1 | Hostname: 1\n Page 6 of 18 \n\nThreat Actor Profile: Interlock https://otx.alienvault.com/browse/pulses?q=tag:DanaBot Ransomware. \nCVE: 2 | FileHash-MD5: 11 | FileHash-SHA1: 14 | FileHash-SHA256: 11 | URL: 1 | Domain: 2\n Page 13 of 18 \n\nSteam games abused to deliver https://otx.alienvault.com/browse/pulses?q=tag:DanaBot malware once again. \nFileHash-MD5: 2 | FileHash-SHA1: 2 | FileHash-SHA256: 4 | URL: 20 | Domain: 2\n Page 15 of 18 \n\nBladedFeline: Unmasking https://otx.alienvault.com/browse/pulses?q=tag:DanaBot the Iran-Aligned Cyberespionage Group \nFileHash-MD5: 2 | FileHash-SHA1: 2 | FileHash-SHA256: 2 | URL: 5 | Domain: 5 | Hostname: 5\n Page 17 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:DanaBot" ], "report_names": [ "pulses?q=tag:DanaBot" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "4ce3fc37-6e62-4642-8ad8-fa33fb389518", "created_at": "2026-02-07T02:00:03.658496Z", "updated_at": "2026-04-10T02:00:03.958135Z", "deleted_at": null, "main_name": "BladedFeline", "aliases": [], "source_name": "MISPGALAXY:BladedFeline", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af10aec6-36a8-4bdb-ba47-8f75b6a4aa4b", "created_at": "2025-03-07T02:00:03.797427Z", "updated_at": "2026-04-10T02:00:03.821929Z", "deleted_at": null, "main_name": "Larva-208", "aliases": [ "EncryptHub" ], "source_name": "MISPGALAXY:Larva-208", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434080, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/235e18bb0a1205a28cc7be7b679f22667a1cbeb5.pdf", "text": "https://archive.orkl.eu/235e18bb0a1205a28cc7be7b679f22667a1cbeb5.txt", "img": "https://archive.orkl.eu/235e18bb0a1205a28cc7be7b679f22667a1cbeb5.jpg" } }