{ "id": "1e709273-200c-4028-a4e4-a1ea79e1d392", "created_at": "2026-04-06T00:13:07.928148Z", "updated_at": "2026-04-10T13:12:51.858533Z", "deleted_at": null, "sha1_hash": "f5044d1be5c45df0562aa3fb142e96359098f558", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 425730, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy scoreblue\r\nArchived: 2026-04-02 10:48:55 UTC\r\nPuffStealer\r\nCIDR: 2 | CVE: 26 | FileHash-MD5: 1184 | FileHash-SHA1: 949 | FileHash-SHA256: 3712 | URL: 2925 |\r\nDomain: 627 | Email: 8 | Hostname: 1319\r\n224 Subscribers\r\n224 Subscribers\r\nRansom.Win64.PORNOASSET.SM1 | DeepScan:Generic.Ransom.GandCrab5\r\nCIDR: 2 | CVE: 26 | FileHash-MD5: 1184 | FileHash-SHA1: 949 | FileHash-SHA256: 3712 | URL: 2925 |\r\nDomain: 627 | Email: 8 | Hostname: 1319\r\nRansom.Win64.PORNOASSET.SM1 DeepScan:Generic.Ransom.GandCrab5 BlackNET RAT $WebWatson Auto\r\ngenerated results from a variety of tools.\r\n218 Subscribers\r\nLucky Mouse APT27 | Feodo Tracker | Malicious Tor Server | Apple iOS\r\nCIDR: 2 | CVE: 26 | FileHash-MD5: 1184 | FileHash-SHA1: 949 | FileHash-SHA256: 3712 | URL: 2925 |\r\nDomain: 627 | Email: 8 | Hostname: 1319\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 1 of 11\n\nDarkside 2020 Ecosystem .BEware Malicious Tor server. Link found in pulse created prior. Malvertizing target:\r\nTsara Brashears Revenge Porn. There may me others. Malicious Apple activities, locating, CVE exploits,\r\nunlocking, hijacker, service transfer, spyware, malicious full auth, tracking, endless. Seems to originate from a law\r\nfirm that goes to far to defend clients and silence alleged victims. Some State allow the same privileges and tools\r\nthe federal government to insurance, workers compensation, investigators and insurance company law firms for\r\ninvestigations. Fear tactics they seem willing to back up. I was approached and asked about my cyber knowledge\r\nby strangers. I am followed now for using a tool properly. ALL terms auto populated from various tools from\r\nvarious tools used including, State, Brian Sabey, cyber stalking. Perhaps he's made contact with target. Danger!\r\n218 Subscribers\r\nLucky Mouse APT27 | Feodo Tracker | Malicious Tor Server | Apple iOS\r\nCIDR: 2 | CVE: 26 | FileHash-MD5: 1184 | FileHash-SHA1: 949 | FileHash-SHA256: 3712 | URL: 2925 |\r\nDomain: 627 | Email: 8 | Hostname: 1319\r\nDarkside 2020 Ecosystem .BEware Malicious Tor server. Link found in pulse created prior. Malvertizing target:\r\nTsara Brashears Revenge Porn. There may me others. Malicious Apple activities, locating, CVE exploits,\r\nunlocking, hijacker, service transfer, spyware, malicious full auth, tracking, endless. Seems to originate from a law\r\nfirm that goes to far to defend clients and silence alleged victims. Some State allow the same privileges and tools\r\nthe federal government to insurance, workers compensation, investigators and insurance company law firms for\r\ninvestigations. Fear tactics they seem willing to back up. I was approached and asked about my cyber knowledge\r\nby strangers. I am followed now for using a tool properly. ALL terms auto populated from various tools from\r\nvarious tools used including, State, Brian Sabey, cyber stalking. Perhaps he's made contact with target. Danger!\r\n218 Subscribers\r\n480 Subscribers\r\nFeodo Tracker C\u0026C Server| BotNet\r\nFileHash-MD5: 6 | FileHash-SHA1: 6 | FileHash-SHA256: 6 | URL: 2\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 2 of 11\n\nCommand and Control Botnet Source: http://cloudbazaar.org/ researching DGA DGA Domain:\r\nPublicDomainRegistry.com Pattern Match: many if the vulnerabilities I've researched originate from Registrar.\r\nNot all, but enough to raise an eyebrow. Active: Feodo Tracker\r\n218 Subscribers\r\nFeodo Tracker C\u0026C Server| BotNet\r\nFileHash-MD5: 6 | FileHash-SHA1: 6 | FileHash-SHA256: 6 | URL: 2\r\nCommand and Control Botnet Source: http://cloudbazaar.org/ researching DGA DGA Domain:\r\nPublicDomainRegistry.com Pattern Match: many of the vulnerabilities I've researched originate from Registrar.\r\nNot all, but enough to raise an eyebrow. ActiveFeodo Tracker\r\n218 Subscribers\r\nThreat Actors Alter DGA Patterns to Improve C2 Communication\r\nCVE: 1 | FileHash-SHA256: 2 | URL: 2 | Domain: 5\r\nMalware is evolving to evade security measures and evade detection by changing the patterns of domain names\r\nused to communicate with C2 servers, according to security experts and a group of researchers in the UK.\r\n480 Subscribers\r\n171 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 3 of 11\n\nElastic Security Labs discovers the LOBSHOT malware | Elastic\r\nFileHash-SHA256: 1 | IPv4: 1 | URL: 1\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 4 of 11\n\nElastic Security Labs is shedding light on an undiscovered hVNC malware that has been quietly collecting a large\r\ninstall base. This malware called LOBSHOT appears to be leveraged for financial purposes employing banking\r\ntrojan and info-stealing capabilities. Adversaries continue to abuse and increase reach through malvertising such\r\nas Google Ads by impersonating legitimate software.\r\n71 Subscribers\r\n171 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 5 of 11\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 6 of 11\n\n17 Subscribers\r\n354 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 7 of 11\n\n69 Subscribers\r\n69 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 8 of 11\n\n52 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 9 of 11\n\nEmail Malspam Campaign Infrastructure Analysis\r\nDomain: 672\r\n\"From March to December 2020, we tracked segments of a dynamically generated email infrastructure that\r\nattackers used to send more than a million emails per month, distributing at least seven distinct malware families\r\nin dozens of campaigns using a variety of phishing lures and tactics. These campaigns aimed to deploy malware\r\non target networks across the world, with notable concentration in the United States, Australia, and the United\r\nKingdom. Attackers targeted the wholesale distribution, financial services, and healthcare industries.\"\r\n373,184 Subscribers\r\nBackdoor.Necurs\r\nBackdoor.Necurs is a Trojan horse that opens a back door on the compromised computer. The Trojan may also\r\ndisable antivirus products as well as download and install additional malware.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 10 of 11\n\n127 Subscribers\r\n1,344 Subscribers\r\nIndicators Search\r\nShow expired indicators\r\nWe've found 535 indicators\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Necurs\r\nPage 11 of 11\n\nElastic Security Labs discovers https://otx.alienvault.com/browse/pulses?q=tag:Necurs the LOBSHOT malware | Elastic\nFileHash-SHA256: 1 | IPv4: 1 | URL: 1 \n Page 4 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:Necurs" ], "report_names": [ "pulses?q=tag:Necurs" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434387, "ts_updated_at": 1775826771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f5044d1be5c45df0562aa3fb142e96359098f558.pdf", "text": "https://archive.orkl.eu/f5044d1be5c45df0562aa3fb142e96359098f558.txt", "img": "https://archive.orkl.eu/f5044d1be5c45df0562aa3fb142e96359098f558.jpg" } }