AlienVault OTX Threat Intelligence

This pulse contains IOCs related to Supershell Infrastructure. Additions are automatically added based on several sources like: OTX sandboxes samples, internal tools, through the use of Shodan or Censys queries, shared intel from LevelBlue partners or external feeds.

This pulse contains IOCs related to DcRat Infrastructure. Additions are automatically added based on several sources like: OTX sandboxes samples, internal tools, through the use of Shodan or Censys queries, shared intel from LevelBlue partners or external feeds.

This pulse contains IOCs related to Mythic Infrastructure. Additions are automatically added based on several sources like: OTX sandboxes samples, internal tools, through the use of Shodan or Censys queries, shared intel from LevelBlue partners or external feeds.

This pulse contains IOCs related to Cobalt Strike Infrastructure. Additions are automatically added based on several sources like: OTX sandboxes samples, internal tools, through the use of Shodan or Censys queries, shared intel from LevelBlue partners or external feeds.

A large cybercrime campaign has been observed involving multiple fraudulent websites promoted through Google advertising. The campaign aims to trick users into downloading and installing a trojanized PDF editor containing the TamperedChef information-stealing malware. The malware harvests sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with the PDF editor initially appearing harmless but later activating malicious capabilities. The threat actor used Google advertising to promote the PDF editor, with at least 5 different campaign IDs observed. The malware's activation occurred 56 days after the campaign's start, coinciding with a typical Google ad campaign duration. The threat actor has a history of distributing malicious code disguised as free utility tools, and this campaign has successfully affected several European organizations.