{ "source": "https://lots-project.com/", "scraped_at": "2026-06-16T11:58:41Z", "count": 175, "sites": [ { "website": "raw.githubusercontent.com", "tags": [ "Phishing", "C&C", "Download" ], "service_provider": "Github", "phishing": "Attackers can phish users with a raw.githubusercontent.com link that downloads malware.", "command_and_control": "Malware was seen using raw.githubusercontent.com to host malicious C&C commands which the malware will periodically fetch.", "exfiltration": "None", "download": "Malware can fetch additional tools from raw.githubusercontent.com.", "sample_url": "https://www.joesandbox.com/analysis/517120/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/7261772e67697468756275736572636f6e74656e742e636f6d", "detail_slug": "7261772e67697468756275736572636f6e74656e742e636f6d", "detail_url": "https://lots-project.com/site/7261772e67697468756275736572636f6e74656e742e636f6d", "scraped_at": "2026-06-16T11:57:35Z" }, { "website": "github.com", "tags": [ "Phishing", "Download" ], "service_provider": "Github", "phishing": "Attackers can host malware on Github.com and send phishing emails to have users download the malware. Another way is to fork a legitimate project, and add malware to it and then phish users to download the trojanized project.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can host malicious files on github.com and when needed, the files can be downloaded.", "sample_url": "https://www.joesandbox.com/analysis/479875/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/6769746875622e636f6d", "detail_slug": "6769746875622e636f6d", "detail_url": "https://lots-project.com/site/6769746875622e636f6d", "scraped_at": "2026-06-16T11:57:35Z" }, { "website": "1drv.ms", "tags": [ "Phishing" ], "service_provider": "Microsoft", "phishing": "Attackers create a shareable link for OneDrive files which use the 1drv.ms domain. The link is then utilized to phish users and have them download malware. Alternatively, phishing pages are create using OneNote and shared with users in hopes of clicking on a link that redirects them to a malicious domain.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/505171/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/316472762e6d73", "detail_slug": "316472762e6d73", "detail_url": "https://lots-project.com/site/316472762e6d73", "scraped_at": "2026-06-16T11:57:36Z" }, { "website": "1drv.com", "tags": [ "Phishing", "Download" ], "service_provider": "Microsoft", "phishing": "Attackers create a shareable link for OneDrive files which use the 1drv.ms domain. The download link for the file is hosted on *.1drv.com. The link is then utilized to phish users and have them download malware.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can upload files onto OneDrive and use the generated 1drv.com links to download the additional tools.", "sample_url": "https://www.joesandbox.com/analysis/459001/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/316472762e636f6d", "detail_slug": "316472762e636f6d", "detail_url": "https://lots-project.com/site/316472762e636f6d", "scraped_at": "2026-06-16T11:57:36Z" }, { "website": "docs.google.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Google", "phishing": "Attackers can embed malicious links into documents on docs.google.com and then share them to phish users.", "command_and_control": "Attackers use docs.google.com to upload commands and have the malware fetch them. GC2 is an open-source tool that utilizes docs.google.com for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/509788/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/646f63732e676f6f676c652e636f6d", "detail_slug": "646f63732e676f6f676c652e636f6d", "detail_url": "https://lots-project.com/site/646f63732e676f6f676c652e636f6d", "scraped_at": "2026-06-16T11:57:36Z" }, { "website": "drive.google.com", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Google", "phishing": "Attackers have hosted malware on drive.google.com and utilized the sharing capabilities and phish users to download it.", "command_and_control": "Attackers have used drive.google.com for C&C by retrieving files with commands to be executed. An example of a malware that uses drive.google.com as C&C is SysJoker.", "exfiltration": "drive.google.com can be used to store exfiltrated files on there. GC2 is an open-source tool that utilizes drive.google.com for exfiltration.", "download": "drive.google.com creates shared links for files which enables attackers to download additional tools.", "sample_url": "https://www.joesandbox.com/analysis/486513/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/64726976652e676f6f676c652e636f6d", "detail_slug": "64726976652e676f6f676c652e636f6d", "detail_url": "https://lots-project.com/site/64726976652e676f6f676c652e636f6d", "scraped_at": "2026-06-16T11:57:37Z" }, { "website": "*.azurewebsites.net", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Microsoft", "phishing": "Azure web applications allows users to create a customized subdomain on azurewebsites.net. Attackers abuse this functionality by hosting phishing websites using the azurewebsites.net domain.", "command_and_control": "Malware such as Almaq have used Azure web applications as their C&C servers.", "exfiltration": "Attackers can create web applications with upload functionalities hosted on *.azurewebsites.net and exfiltrate data on there.", "download": "Attackers can host malicious tools on applications hosted on *.azurewebsites.net and download them when needed.", "sample_url": "https://www.joesandbox.com/analysis/426500/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e617a75726577656273697465732e6e6574", "detail_slug": "2a2e617a75726577656273697465732e6e6574", "detail_url": "https://lots-project.com/site/2a2e617a75726577656273697465732e6e6574", "scraped_at": "2026-06-16T11:57:37Z" }, { "website": "dropbox.com", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Dropbox", "phishing": "Attackers have used dropbox.com to store malicious files and then share them with targets. Attackers can also have users redirected to malicious domains via links embedded in certain file types such as PDF.", "command_and_control": "Dropbox has been used by attackers as C&C servers. The open source tool DBC2 (DropBoxC2) can be used to utilize DropBox as a C&C server.", "exfiltration": "dropbox.com can be used to store exfiltrated files on there.", "download": "dropbox.com creates shared links for files which enables attackers to store tools there and download them when required.", "sample_url": "https://www.joesandbox.com/analysis/494480/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x, @EthanRobish", "detail_path": "/site/64726f70626f782e636f6d", "detail_slug": "64726f70626f782e636f6d", "detail_url": "https://lots-project.com/site/64726f70626f782e636f6d", "scraped_at": "2026-06-16T11:57:38Z" }, { "website": "mega.nz", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Mega Limited", "phishing": "Attackers have used mega.nz to store malicious files and then share them with targets.", "command_and_control": "None", "exfiltration": "mega.nz can be used to store exfiltrated files on there.", "download": "mega.nz creates shared links for files which enables attackers to store tools there and download them when required.", "sample_url": "", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/6d6567612e6e7a", "detail_slug": "6d6567612e6e7a", "detail_url": "https://lots-project.com/site/6d6567612e6e7a", "scraped_at": "2026-06-16T11:57:38Z" }, { "website": "pcloud.com", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "pCloud", "phishing": "Attackers can used pcloud.com to store malicious files and then share them with targets.", "command_and_control": "None", "exfiltration": "pcloud.com can be used to store exfiltrated files on there.", "download": "Tools can be stored on pcloud.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/431590/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/70636c6f75642e636f6d", "detail_slug": "70636c6f75642e636f6d", "detail_url": "https://lots-project.com/site/70636c6f75642e636f6d", "scraped_at": "2026-06-16T11:57:38Z" }, { "website": "*.amazonaws.com", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Amazon Web Services", "phishing": "Attackers can use *.amazonaws.com to host their phishing websites.", "command_and_control": "The Pareto Botnet was found using *.amazonaws.com as their C&C servers.", "exfiltration": "Attackers can create web applications with upload functionalities hosted on *.amazonaws.com and exfiltrate data on there. Alternatively, attackers can use *.s3.amazonaws.com as storage and upload exfiltrated files there.", "download": "Malicious tools can be stored on *.amazonaws.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/510382/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e616d617a6f6e6177732e636f6d", "detail_slug": "2a2e616d617a6f6e6177732e636f6d", "detail_url": "https://lots-project.com/site/2a2e616d617a6f6e6177732e636f6d", "scraped_at": "2026-06-16T11:57:39Z" }, { "website": "*.twitter.com", "tags": [ "C&C" ], "service_provider": "Twitter", "phishing": "None", "command_and_control": "twitter.com can be used by attackers as C&C by publishing commands via tweets or direct messages. Twittor is an open-source tool that utilizes Twitter's direct message functionality for C&C. Twitter's mobile subdomain can also be used therefore monitor all subdomains of twitter.com", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x, @originalesushi", "detail_path": "/site/2a2e747769747465722e636f6d", "detail_slug": "2a2e747769747465722e636f6d", "detail_url": "https://lots-project.com/site/2a2e747769747465722e636f6d", "scraped_at": "2026-06-16T11:57:39Z" }, { "website": "*.web.core.windows.net", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Microsoft", "phishing": "Attackers have the ability to choose a customized subdomain on web.core.windows.net. Attackers abuse this functionality by hosting phishing websites using the web.core.windows.net subdomain.", "command_and_control": "*.web.core.windows.net can be used as C&C servers.", "exfiltration": "Attackers can upload exfiltrated data onto applications hosted on *.web.core.windows.net", "download": "Malicious tools can be stored on *.web.core.windows.net and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/428807/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e7765622e636f72652e77696e646f77732e6e6574", "detail_slug": "2a2e7765622e636f72652e77696e646f77732e6e6574", "detail_url": "https://lots-project.com/site/2a2e7765622e636f72652e77696e646f77732e6e6574", "scraped_at": "2026-06-16T11:57:40Z" }, { "website": "*.blob.core.windows.net", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Microsoft", "phishing": "Attackers have the ability to choose a customized subdomain on blob.core.windows.net for blob storage. Attackers abuse this functionality by hosting .html files using the blob.core.windows.net subdomain and therefore creating fake login pages that capture credentials.", "command_and_control": "None", "exfiltration": "Attackers can upload exfiltrated data onto applications hosted on *.blob.core.windows.net", "download": "Malicious tools can be stored on *.blob.core.windows.net and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/464535/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e626c6f622e636f72652e77696e646f77732e6e6574", "detail_slug": "2a2e626c6f622e636f72652e77696e646f77732e6e6574", "detail_url": "https://lots-project.com/site/2a2e626c6f622e636f72652e77696e646f77732e6e6574", "scraped_at": "2026-06-16T11:57:40Z" }, { "website": "*.box.com", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Box", "phishing": "Attackers have used *.box.com to store malicious files and then share them with targets.", "command_and_control": "None", "exfiltration": "*.box.com can be used to store exfiltrated files on there.", "download": "*.box.com creates shared links for files which enables attackers to store tools there and download them when required.", "sample_url": "https://www.joesandbox.com/analysis/145442/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e626f782e636f6d", "detail_slug": "2a2e626f782e636f6d", "detail_url": "https://lots-project.com/site/2a2e626f782e636f6d", "scraped_at": "2026-06-16T11:57:40Z" }, { "website": "sites.google.com", "tags": [ "Phishing" ], "service_provider": "Google", "phishing": "Attackers have used sites.google.com for phishing which can impersonate legitimate websites and then redirect users to malicious websites to enter their credentials.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/516600/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/73697465732e676f6f676c652e636f6d", "detail_slug": "73697465732e676f6f676c652e636f6d", "detail_url": "https://lots-project.com/site/73697465732e676f6f676c652e636f6d", "scraped_at": "2026-06-16T11:57:41Z" }, { "website": "*.cloudfront.net", "tags": [ "Phishing", "C&C", "Download" ], "service_provider": "Amazon Web Services", "phishing": "Attackers can use *.cloudfront.net to host their phishing websites.", "command_and_control": "Subdomains of cloudfront.net have been used as C&C servers by ransomware.", "exfiltration": "None", "download": "Malicious tools can be stored on *.cloudfront.net and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/481251/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e636c6f756466726f6e742e6e6574", "detail_slug": "2a2e636c6f756466726f6e742e6e6574", "detail_url": "https://lots-project.com/site/2a2e636c6f756466726f6e742e6e6574", "scraped_at": "2026-06-16T11:57:41Z" }, { "website": "bitbucket.io", "tags": [ "Phishing" ], "service_provider": "Atlassian", "phishing": "Attackers can use *.bitbucket.io to host their phishing websites.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/505492/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/6269746275636b65742e696f", "detail_slug": "6269746275636b65742e696f", "detail_url": "https://lots-project.com/site/6269746275636b65742e696f", "scraped_at": "2026-06-16T11:57:41Z" }, { "website": "bitbucket.org", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Atlassian", "phishing": "Attackers can host malware on bitbucket.org and send phishing emails to have users download the malware.", "command_and_control": "bitbucket.org can be used to host C&C commands and have malware periodically fetch them.", "exfiltration": "Attackers can push data onto bitbucket.org repositories.", "download": "Attackers can host malicious files on bitbucket.org and when needed, the files can be downloaded.", "sample_url": "https://www.joesandbox.com/analysis/401517/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/6269746275636b65742e6f7267", "detail_slug": "6269746275636b65742e6f7267", "detail_url": "https://lots-project.com/site/6269746275636b65742e6f7267", "scraped_at": "2026-06-16T11:57:42Z" }, { "website": "firebasestorage.googleapis.com", "tags": [ "Phishing", "Exfiltration", "C&C", "Download" ], "service_provider": "Google", "phishing": "Attackers can use firebasestorage.googleapis.com to host their phishing websites.", "command_and_control": "Attackers can use firebasestorage.googleapis.com as their C&C server.", "exfiltration": "Attackers can push data onto firebasestorage.googleapis.com storage. The file types that can be pushed are restricted.", "download": "Attackers can host malicious files on firebasestorage.googleapis.com and when needed, the files can be downloaded.", "sample_url": "https://www.joesandbox.com/analysis/500007/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/666972656261736573746f726167652e676f6f676c65617069732e636f6d", "detail_slug": "666972656261736573746f726167652e676f6f676c65617069732e636f6d", "detail_url": "https://lots-project.com/site/666972656261736573746f726167652e676f6f676c65617069732e636f6d", "scraped_at": "2026-06-16T11:57:42Z" }, { "website": "storage.googleapis.com", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Google", "phishing": "Attackers can use storage.googleapis.com to host their phishing websites.", "command_and_control": "Attackers can use storage.googleapis.com as their C&C server.", "exfiltration": "Attackers can push data onto storage.googleapis.com storage.", "download": "Attackers can host malicious files on storage.googleapis.com and when needed, the files can be downloaded.", "sample_url": "https://www.joesandbox.com/analysis/505091/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/73746f726167652e676f6f676c65617069732e636f6d", "detail_slug": "73746f726167652e676f6f676c65617069732e636f6d", "detail_url": "https://lots-project.com/site/73746f726167652e676f6f676c65617069732e636f6d", "scraped_at": "2026-06-16T11:57:43Z" }, { "website": "*.herokuapp.com", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Heroku", "phishing": "Attackers can use a customized subdomain of herokuapp.com to host their phishing websites.", "command_and_control": "Attackers can use a customized subdomain of herokuapp.com as their C&C server.", "exfiltration": "Attackers can add upload functionalities hosted on *.herokuapp.com and exfiltrate data on there.", "download": "Malicious tools can be stored on *.herokuapp.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/475669/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e6865726f6b756170702e636f6d", "detail_slug": "2a2e6865726f6b756170702e636f6d", "detail_url": "https://lots-project.com/site/2a2e6865726f6b756170702e636f6d", "scraped_at": "2026-06-16T11:57:43Z" }, { "website": "*.zendesk.com", "tags": [ "Phishing", "Download" ], "service_provider": "Zendesk", "phishing": "Attackers can use a customized subdomain of zendesk.com to host their phishing websites.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on *.zendesk.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/476510/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e7a656e6465736b2e636f6d", "detail_slug": "2a2e7a656e6465736b2e636f6d", "detail_url": "https://lots-project.com/site/2a2e7a656e6465736b2e636f6d", "scraped_at": "2026-06-16T11:57:43Z" }, { "website": "*.cloudwaysapps.com", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Cloudways", "phishing": "Attackers can use a subdomain of cloudwaysapps.com to host their phishing websites.", "command_and_control": "Attackers can use a subdomain of cloudwaysapps.com as their C&C server.", "exfiltration": "Attackers can add upload functionalities hosted on *.cloudwaysapps.com and exfiltrate data on there.", "download": "Malicious tools can be stored on *.cloudwaysapps.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/196213/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e636c6f756477617973617070732e636f6d", "detail_slug": "2a2e636c6f756477617973617070732e636f6d", "detail_url": "https://lots-project.com/site/2a2e636c6f756477617973617070732e636f6d", "scraped_at": "2026-06-16T11:57:44Z" }, { "website": "*.netlify.app", "tags": [ "Phishing" ], "service_provider": "Netlify", "phishing": "Attackers can use a subdomain of netlify.app to host their phishing websites.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/497306/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e6e65746c6966792e617070", "detail_slug": "2a2e6e65746c6966792e617070", "detail_url": "https://lots-project.com/site/2a2e6e65746c6966792e617070", "scraped_at": "2026-06-16T11:57:44Z" }, { "website": "*.cloudapp.azure.com", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Microsoft", "phishing": "Attackers can use a customized subdomain of cloudapp.azure.com to host their phishing websites.", "command_and_control": "Attackers can use a customized subdomain of cloudapp.azure.com as their C&C server.", "exfiltration": "Attackers can add upload functionalities hosted on *.cloudapp.azure.com and exfiltrate data on there.", "download": "Malicious tools can be stored on *.cloudapp.azure.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/341762/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e636c6f75646170702e617a7572652e636f6d", "detail_slug": "2a2e636c6f75646170702e617a7572652e636f6d", "detail_url": "https://lots-project.com/site/2a2e636c6f75646170702e617a7572652e636f6d", "scraped_at": "2026-06-16T11:57:44Z" }, { "website": "*.cloudapp.net", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Microsoft", "phishing": "Attackers can use a customized subdomain of cloudapp.net to host their phishing websites.", "command_and_control": "Attackers can use a customized subdomain of cloudapp.net as their C&C server.", "exfiltration": "Attackers can add upload functionalities hosted on *.cloudapp.net and exfiltrate data on there.", "download": "Malicious tools can be stored on *.cloudapp.net and downloaded when required.", "sample_url": "https://app.any.run/tasks/4e40f95a-4829-4901-b348-1d92b61d59c5/", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e636c6f75646170702e6e6574", "detail_slug": "2a2e636c6f75646170702e6e6574", "detail_url": "https://lots-project.com/site/2a2e636c6f75646170702e6e6574", "scraped_at": "2026-06-16T11:57:45Z" }, { "website": "gitlab.com", "tags": [ "Phishing", "Download" ], "service_provider": "GitLab", "phishing": "Attackers can host malware on gitlab.com and send phishing emails to have users download the malware. Another way is to fork a legitimate project, and add malware to it and then phish users to download the trojanized project.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can host malicious files on gitlab.com and when needed, the files can be downloaded.", "sample_url": "https://www.joesandbox.com/analysis/95608/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/6769746c61622e636f6d", "detail_slug": "6769746c61622e636f6d", "detail_url": "https://lots-project.com/site/6769746c61622e636f6d", "scraped_at": "2026-06-16T11:57:45Z" }, { "website": "filetransfer.io", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Filetransfer.io", "phishing": "Attackers can upload malicious files and share them to targets via FileTransfer.io's email servers. filetransfer.io asks for a sender email before sharing the files which allows the attacker to enter a fake email and therefore the files appear to be shared from the fake email.", "command_and_control": "None", "exfiltration": "Attackers can upload data to filetransfer.io and share the link to themselves to download the exfiltrated data. Requires GUI access.", "download": "Attackers can keep their tools stored on filetrasnfer.io and when required, use the custom link to download. Requires GUI access.", "sample_url": "https://www.joesandbox.com/analysis/493780/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/66696c657472616e736665722e696f", "detail_slug": "66696c657472616e736665722e696f", "detail_url": "https://lots-project.com/site/66696c657472616e736665722e696f", "scraped_at": "2026-06-16T11:57:46Z" }, { "website": "*.sendspace.com", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Sendspace", "phishing": "Attackers can upload malicious files and share them to targets via SendSpace's email servers. sendspace.com asks for a sender email before sharing the files which allows the attacker to enter a fake email and therefore the files appear to be shared from the fake email. Alternatively, an attacker can grab the direct download link and share it with targets using alternative methods.", "command_and_control": "None", "exfiltration": "Attackers can upload data to sendspace.com and share the link to themselves to download the exfiltrated data. Requires GUI access.", "download": "Attackers can keep their tools stored on sendspace.com and when required, use the custom link to download. If the direct link is used then GUI access is not required.", "sample_url": "https://www.joesandbox.com/analysis/366435/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e73656e6473706163652e636f6d", "detail_slug": "2a2e73656e6473706163652e636f6d", "detail_url": "https://lots-project.com/site/2a2e73656e6473706163652e636f6d", "scraped_at": "2026-06-16T11:57:46Z" }, { "website": "wetransfer.com", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "WeTransfer B.V", "phishing": "Attackers can upload malicious files and share them to targets via WeTransfer's email servers. wetransfer.com validates the sender email before using it.", "command_and_control": "None", "exfiltration": "Attackers can upload data to wetransfer.com and share the link to themselves to download the exfiltrated data. Requires GUI access.", "download": "Attackers can keep their tools stored on wetransfer.com and when required, use the custom link to download.", "sample_url": "https://www.joesandbox.com/analysis/487302/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/77657472616e736665722e636f6d", "detail_slug": "77657472616e736665722e636f6d", "detail_url": "https://lots-project.com/site/77657472616e736665722e636f6d", "scraped_at": "2026-06-16T11:57:46Z" }, { "website": "cdn.fbsbx.com", "tags": [ "Phishing" ], "service_provider": "Facebook", "phishing": "Attackers can upload malicious files documents on Facebook Messenger and share the direct download link with users. Since the file types are heavily restricted by Facebook, this is only useful for sharing documents such as PDF, DOC, XLS etc.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/63646e2e66627362782e636f6d", "detail_slug": "63646e2e66627362782e636f6d", "detail_url": "https://lots-project.com/site/63646e2e66627362782e636f6d", "scraped_at": "2026-06-16T11:57:47Z" }, { "website": "mediafire.com", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Mediafire", "phishing": "Attackers can upload malicious files and share the link with targets.", "command_and_control": "None", "exfiltration": "Attackers can upload data to mediafire.com and share the link to themselves to download the exfiltrated data.", "download": "Attackers can keep their tools stored on mediafire.com and when required, use the custom link to download.", "sample_url": "https://www.joesandbox.com/analysis/503282/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/6d65646961666972652e636f6d", "detail_slug": "6d65646961666972652e636f6d", "detail_url": "https://lots-project.com/site/6d65646961666972652e636f6d", "scraped_at": "2026-06-16T11:57:47Z" }, { "website": "cdn.discordapp.com", "tags": [ "Phishing", "Download" ], "service_provider": "Discord", "phishing": "An attacker can upload malicious files on Discord and share the download link with targets.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can keep their tools stored on cdn.discordapp.com and when required, use the custom link to download.", "sample_url": "https://www.joesandbox.com/analysis/517177/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/63646e2e646973636f72646170702e636f6d", "detail_slug": "63646e2e646973636f72646170702e636f6d", "detail_url": "https://lots-project.com/site/63646e2e646973636f72646170702e636f6d", "scraped_at": "2026-06-16T11:57:47Z" }, { "website": "*.workers.dev", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "Cloudflare", "phishing": "Cloudflare Workers can be used to host phishing websites.", "command_and_control": "Cloudflare Workers can be used as C&C servers.", "exfiltration": "Attackers can add upload functionalities hosted on *.workers.dev and exfiltrate data on there.", "download": "Malicious tools can be stored on *.workers.dev and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/506551/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e776f726b6572732e646576", "detail_slug": "2a2e776f726b6572732e646576", "detail_url": "https://lots-project.com/site/2a2e776f726b6572732e646576", "scraped_at": "2026-06-16T11:57:48Z" }, { "website": "slack-files.com", "tags": [ "Phishing" ], "service_provider": "Slack", "phishing": "Attackers can upload malicious files documents on Slack and share the direct download link with users. Since the file types are heavily restricted by Slack, this is only useful for sharing documents such as PDF, DOC, XLS etc.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/245078/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/736c61636b2d66696c65732e636f6d", "detail_slug": "736c61636b2d66696c65732e636f6d", "detail_url": "https://lots-project.com/site/736c61636b2d66696c65732e636f6d", "scraped_at": "2026-06-16T11:57:48Z" }, { "website": "youtube.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Google", "phishing": "Attackers can use Youtube's redirect functionality to hide their URL. Youtube attempts to mitigate abuse by adding a splash screen which warns the user about the redirection to the external domain.", "command_and_control": "Youtube has been used as a C&C center by placing commands in the description of the videos and having malware fetch them.", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x, Ashley Tran", "detail_path": "/site/796f75747562652e636f6d", "detail_slug": "796f75747562652e636f6d", "detail_url": "https://lots-project.com/site/796f75747562652e636f6d", "scraped_at": "2026-06-16T11:57:49Z" }, { "website": "reddit.com", "tags": [ "C&C" ], "service_provider": "Reddit", "phishing": "None", "command_and_control": "Attackers have used Reddit as an intermediary C&C server by creating posts with a title that contain a list of the real C&C servers and having the malware reach out and fetch the IPs.", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/7265646469742e636f6d", "detail_slug": "7265646469742e636f6d", "detail_url": "https://lots-project.com/site/7265646469742e636f6d", "scraped_at": "2026-06-16T11:57:49Z" }, { "website": "pastebin.com", "tags": [ "Download", "Exfiltration", "C&C" ], "service_provider": "Pastebin", "phishing": "None", "command_and_control": "Pastebin can be used for C&C purposes. The attacker will place the commands in Pastebin and have the malware fetch the commands.", "exfiltration": "Attackers will upload sensitive data onto Pastebin and share the link with themselves for later access.", "download": "Attackers upload the source code of tools onto Pastebin and download them when necessary.", "sample_url": "https://www.joesandbox.com/analysis/470697/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/706173746562696e2e636f6d", "detail_slug": "706173746562696e2e636f6d", "detail_url": "https://lots-project.com/site/706173746562696e2e636f6d", "scraped_at": "2026-06-16T11:57:49Z" }, { "website": "*.sharepoint.com", "tags": [ "Phishing", "Download" ], "service_provider": "Microsoft", "phishing": "Attackers host phishing websites on a sharepoint.com subdomain and redirect users to malicious websites. Alternatively, they can host malicious documents that can be downloaded.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on *.sharepoint.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/516205/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x, @InfoSPECtre", "detail_path": "/site/2a2e7368617265706f696e742e636f6d", "detail_slug": "2a2e7368617265706f696e742e636f6d", "detail_url": "https://lots-project.com/site/2a2e7368617265706f696e742e636f6d", "scraped_at": "2026-06-16T11:57:50Z" }, { "website": "onedrive.live.com", "tags": [ "Phishing" ], "service_provider": "Microsoft", "phishing": "Attackers create a shareable link for OneDrive files which use the 1drv.ms domain. Upon clicking on the link it is exapnded to onedrive.live.com. The link is then utilized to phish users and have them download malware. Alternatively, phishing pages are create using OneNote and shared with users in hopes of clicking on a link that redirects them to a malicious domain.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/517811/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/6f6e6564726976652e6c6976652e636f6d", "detail_slug": "6f6e6564726976652e6c6976652e636f6d", "detail_url": "https://lots-project.com/site/6f6e6564726976652e6c6976652e636f6d", "scraped_at": "2026-06-16T11:57:50Z" }, { "website": "app.milanote.com", "tags": [ "Phishing" ], "service_provider": "Milanote", "phishing": "Attackers can use a app.milanote.com to host their phishing websites, generally with the intention of redirecting users to the malicious domain.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/479173/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/6170702e6d696c616e6f74652e636f6d", "detail_slug": "6170702e6d696c616e6f74652e636f6d", "detail_url": "https://lots-project.com/site/6170702e6d696c616e6f74652e636f6d", "scraped_at": "2026-06-16T11:57:50Z" }, { "website": "*.appspot.com", "tags": [ "Phishing", "Download", "C&C" ], "service_provider": "Google", "phishing": "Attackers can use a subdomain of appspot.com to host their phishing websites.", "command_and_control": "Attackers can utilize *.appspot.com for C&C purposes.", "exfiltration": "None", "download": "Malicious tools can be stored on *.appspot.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/509569/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e61707073706f742e636f6d", "detail_slug": "2a2e61707073706f742e636f6d", "detail_url": "https://lots-project.com/site/2a2e61707073706f742e636f6d", "scraped_at": "2026-06-16T11:57:51Z" }, { "website": "*.wordpress.com", "tags": [ "Phishing", "Download", "C&C", "Exfiltration" ], "service_provider": "Wordpress Foundation", "phishing": "Attackers can use a customized subdomain of wordpress.com to host their phishing websites.", "command_and_control": "Attackers have previously used Wordpress as a C&C server.", "exfiltration": "Attackers can upload exfiltrated data onto applications hosted on *.wordpress.com.", "download": "Malicious tools can be stored on *.wordpress.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/369736/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e776f726470726573732e636f6d", "detail_slug": "2a2e776f726470726573732e636f6d", "detail_url": "https://lots-project.com/site/2a2e776f726470726573732e636f6d", "scraped_at": "2026-06-16T11:57:51Z" }, { "website": "*.azureedge.net", "tags": [ "Phishing", "C&C" ], "service_provider": "Microsoft", "phishing": "Attackers can use a customized subdomain of azureedge.net to host their phishing websites.", "command_and_control": "Attackers have previously used *.azureedge.net as a C&C server.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/295516/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e617a757265656467652e6e6574", "detail_slug": "2a2e617a757265656467652e6e6574", "detail_url": "https://lots-project.com/site/2a2e617a757265656467652e6e6574", "scraped_at": "2026-06-16T11:57:52Z" }, { "website": "*.tumblr.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Tumblr", "phishing": "Attackers have previously setup tumblr.com subdomains that redirect to malicious domains.", "command_and_control": "Attackers can utilize *.tumblr.com for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/383324/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e74756d626c722e636f6d", "detail_slug": "2a2e74756d626c722e636f6d", "detail_url": "https://lots-project.com/site/2a2e74756d626c722e636f6d", "scraped_at": "2026-06-16T11:57:52Z" }, { "website": "*.backblazeb2.com", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "BackBlaze", "phishing": "Attackers have used *.backblazeb2.com to store malicious files and then share them with targets.", "command_and_control": "None", "exfiltration": "backblazeb2.com can be used to store exfiltrated files on there.", "download": "backblazeb2.com creates shared links for files which enables attackers to store tools there and download them when required.", "sample_url": "https://www.joesandbox.com/analysis/509917/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e6261636b626c617a6562322e636f6d", "detail_slug": "2a2e6261636b626c617a6562322e636f6d", "detail_url": "https://lots-project.com/site/2a2e6261636b626c617a6562322e636f6d", "scraped_at": "2026-06-16T11:57:52Z" }, { "website": "*.blogspot.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Google", "phishing": "Attackers can use a customized subdomain of blogspot.com to host their phishing website.", "command_and_control": "Attackers can utilize *.blogspot.com for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/503652/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e626c6f6773706f742e636f6d", "detail_slug": "2a2e626c6f6773706f742e636f6d", "detail_url": "https://lots-project.com/site/2a2e626c6f6773706f742e636f6d", "scraped_at": "2026-06-16T11:57:53Z" }, { "website": "*.translate.goog", "tags": [ "Phishing", "Download" ], "service_provider": "Google", "phishing": "Attackers can use Google Translate to masquerade their domain for phishing purposes. The attacker's domain will be transformed to the following format: attacker-site-tld.translate.goog.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can upload files onto their malicious domain, masquerade it with Google Translate and then when required, use the *.translate.goog link to download the tool.", "sample_url": "https://www.joesandbox.com/analysis/342309/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e7472616e736c6174652e676f6f67", "detail_slug": "2a2e7472616e736c6174652e676f6f67", "detail_url": "https://lots-project.com/site/2a2e7472616e736c6174652e676f6f67", "scraped_at": "2026-06-16T11:57:53Z" }, { "website": "*.googleusercontent.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Google", "phishing": "Attackers can use a customized subdomain of googleusercontent.com to host their phishing website.", "command_and_control": "Attackers can utilize *.googleusercontent.com for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/508883/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e676f6f676c6575736572636f6e74656e742e636f6d", "detail_slug": "2a2e676f6f676c6575736572636f6e74656e742e636f6d", "detail_url": "https://lots-project.com/site/2a2e676f6f676c6575736572636f6e74656e742e636f6d", "scraped_at": "2026-06-16T11:57:53Z" }, { "website": "*.typeform.com", "tags": [ "Phishing" ], "service_provider": "Typeform", "phishing": "Attackers can use a customized subdomain of typeform.com to host their phishing website.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/514803/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e74797065666f726d2e636f6d", "detail_slug": "2a2e74797065666f726d2e636f6d", "detail_url": "https://lots-project.com/site/2a2e74797065666f726d2e636f6d", "scraped_at": "2026-06-16T11:57:54Z" }, { "website": "*.github.io", "tags": [ "Phishing" ], "service_provider": "Github", "phishing": "Attackers can use a customized subdomain of github.io to host their phishing website.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/378081/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e6769746875622e696f", "detail_slug": "2a2e6769746875622e696f", "detail_url": "https://lots-project.com/site/2a2e6769746875622e696f", "scraped_at": "2026-06-16T11:57:54Z" }, { "website": "*.web.app", "tags": [ "Phishing" ], "service_provider": "Google", "phishing": "Attackers can use a customized subdomain of web.app to host their phishing website.", "command_and_control": "Attackers can utilize *.web.app for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/516396/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e7765622e617070", "detail_slug": "2a2e7765622e617070", "detail_url": "https://lots-project.com/site/2a2e7765622e617070", "scraped_at": "2026-06-16T11:57:55Z" }, { "website": "*.firebaseapp.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Google", "phishing": "Attackers can use a customized subdomain of firebaseapp.com to host their phishing website.", "command_and_control": "Attackers can utilize *.firebaseapp.com for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/494252/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e66697265626173656170702e636f6d", "detail_slug": "2a2e66697265626173656170702e636f6d", "detail_url": "https://lots-project.com/site/2a2e66697265626173656170702e636f6d", "scraped_at": "2026-06-16T11:57:55Z" }, { "website": "*.webflow.io", "tags": [ "Phishing" ], "service_provider": "Webflow", "phishing": "Attackers can use a customized subdomain of webflow.io to redirect users to their phishing website.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/453370/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e776562666c6f772e696f", "detail_slug": "2a2e776562666c6f772e696f", "detail_url": "https://lots-project.com/site/2a2e776562666c6f772e696f", "scraped_at": "2026-06-16T11:57:55Z" }, { "website": "icloud.com", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Apple", "phishing": "Attackers have used icloud.com to store malicious files and then share them with targets.", "command_and_control": "None", "exfiltration": "Attackers can use iCloud to exfiltrate and store data.", "download": "Attackers can upload tools onto an iCloud account and use the link to download these tools when required.", "sample_url": "https://www.hybrid-analysis.com/sample/98df74f33fe5d549737c660d066fdfb07a1c9527663db0b70f105caafff211b8/616f2760372f9003832efbdc", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/69636c6f75642e636f6d", "detail_slug": "69636c6f75642e636f6d", "detail_url": "https://lots-project.com/site/69636c6f75642e636f6d", "scraped_at": "2026-06-16T11:57:56Z" }, { "website": "*.duckdns.org", "tags": [ "Phishing", "C&C" ], "service_provider": "DuckDNS", "phishing": "Attackers use the Dynamic DNS service DuckDNS for phishing purposes.", "command_and_control": "New Norman Cryptominer used DuckDNS as a C&C server.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/510752/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e6475636b646e732e6f7267", "detail_slug": "2a2e6475636b646e732e6f7267", "detail_url": "https://lots-project.com/site/2a2e6475636b646e732e6f7267", "scraped_at": "2026-06-16T11:57:56Z" }, { "website": "*.pages.dev", "tags": [ "Phishing" ], "service_provider": "Cloudflare", "phishing": "Cloudflare Pages can be used to host phishing websites.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/495208/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/2a2e70616765732e646576", "detail_slug": "2a2e70616765732e646576", "detail_url": "https://lots-project.com/site/2a2e70616765732e646576", "scraped_at": "2026-06-16T11:57:56Z" }, { "website": "googleweblight.com", "tags": [ "Phishing", "Download" ], "service_provider": "Google", "phishing": "Attackers use googleweblight.com to redirect targets to a malicious domain.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can use googleweblight.com to masquerade a direct download link.", "sample_url": "https://www.joesandbox.com/analysis/503380/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/676f6f676c657765626c696768742e636f6d", "detail_slug": "676f6f676c657765626c696768742e636f6d", "detail_url": "https://lots-project.com/site/676f6f676c657765626c696768742e636f6d", "scraped_at": "2026-06-16T11:57:57Z" }, { "website": "forms.office.com", "tags": [ "Phishing" ], "service_provider": "Microsoft", "phishing": "Attackers use Microsoft Forms to phish users into typing their passwords.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/475163/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/666f726d732e6f66666963652e636f6d", "detail_slug": "666f726d732e6f66666963652e636f6d", "detail_url": "https://lots-project.com/site/666f726d732e6f66666963652e636f6d", "scraped_at": "2026-06-16T11:57:57Z" }, { "website": "sway.office.com", "tags": [ "Phishing" ], "service_provider": "Microsoft", "phishing": "Attackers use Microsoft Sway to phish targets into clicking on links that take them to malicious domains. Microsoft Sway also allows for password protection which gives attackers the ability to pretend it's a sensitive document.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/269894/0/html", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/737761792e6f66666963652e636f6d", "detail_slug": "737761792e6f66666963652e636f6d", "detail_url": "https://lots-project.com/site/737761792e6f66666963652e636f6d", "scraped_at": "2026-06-16T11:57:58Z" }, { "website": "discord.com", "tags": [ "C&C", "Exfiltration" ], "service_provider": "Discord", "phishing": "None", "command_and_control": "Discord chat bot APIs have been used for command and control.", "exfiltration": "Data can be exfiltrated onto Discord private servers and channels.", "download": "None", "sample_url": "", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/646973636f72642e636f6d", "detail_slug": "646973636f72642e636f6d", "detail_url": "https://lots-project.com/site/646973636f72642e636f6d", "scraped_at": "2026-06-16T11:57:58Z" }, { "website": "slack.com", "tags": [ "C&C" ], "service_provider": "Slack", "phishing": "None", "command_and_control": "There are several open source tools that allow the usage of Slack as a C&C server.", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2021-11-10", "last_update": "2021-11-10", "credits": "mr.d0x", "detail_path": "/site/736c61636b2e636f6d", "detail_slug": "736c61636b2e636f6d", "detail_url": "https://lots-project.com/site/736c61636b2e636f6d", "scraped_at": "2026-06-16T11:57:58Z" }, { "website": "api.telegram.org", "tags": [ "C&C", "Exfiltration" ], "service_provider": "Telegram", "phishing": "None", "command_and_control": "Telegram is being increasingly used as a C&C server by attackers. CheckPoint reported that a Remote Access Trojan, ToxicEye, used Telegram for C&C. One additional benefit of using Telegram as a C&C server is it allows attackers to use their mobile device to access infected machines.", "exfiltration": "Data can be exfiltrated onto Telegram by using a bot controlled by the attacker and sending it the data as a private message. This was demonstrated by SecurityBoulevard.", "download": "None", "sample_url": "", "created": "2021-11-12", "last_update": "2021-11-12", "credits": "@abosalahps, @_FirehaK", "detail_path": "/site/6170692e74656c656772616d2e6f7267", "detail_slug": "6170692e74656c656772616d2e6f7267", "detail_url": "https://lots-project.com/site/6170692e74656c656772616d2e6f7267", "scraped_at": "2026-06-16T11:57:59Z" }, { "website": "*.gofile.io", "tags": [ "Phishing", "Exfiltration", "Download" ], "service_provider": "Gofile", "phishing": "Malicious files can be uploaded on gofile.io and then have the direct link shared with targets in phishing attacks.", "command_and_control": "None", "exfiltration": "Attackers can upload data to gofile.io and share the link to themselves to download the exfiltrated data.", "download": "Attackers can keep their tools stored on gofile.io and when required, use the direct download link to fetch the tools.", "sample_url": "https://www.hybrid-analysis.com/sample/345ee78ba847b524532e2844efe9e838fdff05a83cfdecb7b1e80a1e57dd2cf8/61859856ce4d9f692c5caee2", "created": "2021-11-13", "last_update": "2021-11-13", "credits": "@mattnotmax", "detail_path": "/site/2a2e676f66696c652e696f", "detail_slug": "2a2e676f66696c652e696f", "detail_url": "https://lots-project.com/site/2a2e676f66696c652e696f", "scraped_at": "2026-06-16T11:57:59Z" }, { "website": "*.instagram.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Facebook", "phishing": "Attackers can use the l.instagram.com subdomain to redirect users to an external URL. Although Instagram scans the URL (which can be bypassed by using a URL shortening service) and includes a time-based token to reduce the chances of abuse.", "command_and_control": "The Instagram API can be used to make Instagram a C&C server. An open source tool \"Social-media-c2\" uses the like functionality on Instagram to send commands to infected machines.", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2021-11-13", "last_update": "2021-11-13", "credits": "@TalenceSecurity, @mattnotmax", "detail_path": "/site/2a2e696e7374616772616d2e636f6d", "detail_slug": "2a2e696e7374616772616d2e636f6d", "detail_url": "https://lots-project.com/site/2a2e696e7374616772616d2e636f6d", "scraped_at": "2026-06-16T11:57:59Z" }, { "website": "facebook.com", "tags": [ "C&C" ], "service_provider": "Facebook", "phishing": "None", "command_and_control": "Facebook can be used as a C&C server by attackers by publishing posts that contain commands and then having the infected machines fetch them.", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2021-11-13", "last_update": "2021-11-13", "credits": "@TalenceSecurity", "detail_path": "/site/66616365626f6f6b2e636f6d", "detail_slug": "66616365626f6f6b2e636f6d", "detail_url": "https://lots-project.com/site/66616365626f6f6b2e636f6d", "scraped_at": "2026-06-16T11:58:00Z" }, { "website": "*.glitch.me", "tags": [ "Phishing", "Download" ], "service_provider": "Glitch", "phishing": "Attackers can use a customized subdomain of glitch.me to host their phishing websites.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on *.glitch.me and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/515940/0/html", "created": "2021-11-13", "last_update": "2021-11-13", "credits": "Chad Anderson - @piffey", "detail_path": "/site/2a2e676c697463682e6d65", "detail_slug": "2a2e676c697463682e6d65", "detail_url": "https://lots-project.com/site/2a2e676c697463682e6d65", "scraped_at": "2026-06-16T11:58:00Z" }, { "website": "bit.ly", "tags": [ "Phishing", "Download" ], "service_provider": "Bitly Inc.", "phishing": "Attackers can use the URL shortener, bit.ly, to masquerade their domain name and send the shortened link to their targets.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on an attacker's domain and then have the URL shortened. When the tools are needed, the shortened URL is used to download the tools.", "sample_url": "https://www.joesandbox.com/analysis/519951/0/html", "created": "2021-11-13", "last_update": "2021-11-13", "credits": "@mattnotmax", "detail_path": "/site/6269742e6c79", "detail_slug": "6269742e6c79", "detail_url": "https://lots-project.com/site/6269742e6c79", "scraped_at": "2026-06-16T11:58:01Z" }, { "website": "*.trycloudflare.com", "tags": [ "Phishing", "Download" ], "service_provider": "Cloudflare", "phishing": "Attackers can use the try.cloudflare.com service to get a subdomain on *.trycloudflare.com. The service works similarly to Ngrok and allows attackers to expose a local web server to the internet. Attackers abuse this functionality to expose malicious servers on a *.trycloudflare.com subdomain.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on an attacker's local web server. The local web server is then exposed to the internet on a *.trycloudflare.com subdomain and when the tools are needed, the link is used to download the tools.", "sample_url": "https://www.hybrid-analysis.com/sample/9bffaa52ff450bad0bb52382766d03e77e84b25a200343a74581f3ecde48ab02/616f0ddce60c3a232b7b17cd", "created": "2021-11-13", "last_update": "2021-11-13", "credits": "Ryan Basden - @_rybaz", "detail_path": "/site/2a2e747279636c6f7564666c6172652e636f6d", "detail_slug": "2a2e747279636c6f7564666c6172652e636f6d", "detail_url": "https://lots-project.com/site/2a2e747279636c6f7564666c6172652e636f6d", "scraped_at": "2026-06-16T11:58:01Z" }, { "website": "beautiful.ai", "tags": [ "Phishing" ], "service_provider": "Beautiful.ai", "phishing": "Attackers can create a presentation on beautiful.ai with embedded links that redirect to malicious domains and then share the presentation to target users.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/496632/0/html", "created": "2021-11-13", "last_update": "2021-11-13", "credits": "0xwerart", "detail_path": "/site/62656175746966756c2e6169", "detail_slug": "62656175746966756c2e6169", "detail_url": "https://lots-project.com/site/62656175746966756c2e6169", "scraped_at": "2026-06-16T11:58:01Z" }, { "website": "siasky.net", "tags": [ "Phishing", "Exfiltration", "Download" ], "service_provider": "Siasky", "phishing": "Attackers can upload malicious files to siasky.net and then share the direct download link with targets.", "command_and_control": "None", "exfiltration": "Attackers can upload data to siasky.net and share the link to themselves to download the exfiltrated data.", "download": "Attackers can keep their tools stored on siasky.net and when required, use the direct download link to fetch the tools.", "sample_url": "https://www.joesandbox.com/analysis/472610/0/html", "created": "2021-11-13", "last_update": "2021-11-13", "credits": "Pon", "detail_path": "/site/736961736b792e6e6574", "detail_slug": "736961736b792e6e6574", "detail_url": "https://lots-project.com/site/736961736b792e6e6574", "scraped_at": "2026-06-16T11:58:02Z" }, { "website": "*.clickfunnels.com", "tags": [ "Phishing" ], "service_provider": "ClickFunnels", "phishing": "Attackers can use a personalized subdomain from clickfunnels.com to create a phishing page with embedded links to malicious domains.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/504403/0/html", "created": "2021-11-13", "last_update": "2021-11-13", "credits": "Disintegr8te", "detail_path": "/site/2a2e636c69636b66756e6e656c732e636f6d", "detail_slug": "2a2e636c69636b66756e6e656c732e636f6d", "detail_url": "https://lots-project.com/site/2a2e636c69636b66756e6e656c732e636f6d", "scraped_at": "2026-06-16T11:58:02Z" }, { "website": "*.docusign.com", "tags": [ "Phishing" ], "service_provider": "DocuSign", "phishing": "Attackers have used DocuSign to phish users and redirect them to malicious domains.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2021-11-13", "last_update": "2021-11-13", "credits": "@th3_protoCOL, @RavRabbit", "detail_path": "/site/2a2e646f63757369676e2e636f6d", "detail_slug": "2a2e646f63757369676e2e636f6d", "detail_url": "https://lots-project.com/site/2a2e646f63757369676e2e636f6d", "scraped_at": "2026-06-16T11:58:03Z" }, { "website": "*.digitaloceanspaces.com", "tags": [ "Phishing", "Download", "Exfiltration", "C&C" ], "service_provider": "DigitalOcean", "phishing": "DigitalOcean allows users to create a customized subdomain on digitaloceanspaces.com. Attackers abuse this functionality by hosting phishing websites.", "command_and_control": "*.digitaloceanspaces.com subdomains can be used as C&C servers.", "exfiltration": "Attackers can upload exfiltrated data onto applications hosted on *.digitaloceanspaces.com", "download": "Attackers can host malicious tools on *.digitaloceanspaces.com and download them when required.", "sample_url": "https://www.joesandbox.com/analysis/495306/0/html", "created": "2021-11-14", "last_update": "2021-11-14", "credits": "mattdep_", "detail_path": "/site/2a2e6469676974616c6f6365616e7370616365732e636f6d", "detail_slug": "2a2e6469676974616c6f6365616e7370616365732e636f6d", "detail_url": "https://lots-project.com/site/2a2e6469676974616c6f6365616e7370616365732e636f6d", "scraped_at": "2026-06-16T11:58:03Z" }, { "website": "*.godaddysites.com", "tags": [ "Phishing", "C&C" ], "service_provider": "GoDaddy", "phishing": "GoDaddy allows users to create a customized subdomain on godaddysites.com. Attackers abuse this functionality by hosting phishing websites.", "command_and_control": "*.godaddysites.com subdomains can be used as C&C servers.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/448978/0/html", "created": "2021-11-14", "last_update": "2021-11-14", "credits": "mattdep_", "detail_path": "/site/2a2e676f646164647973697465732e636f6d", "detail_slug": "2a2e676f646164647973697465732e636f6d", "detail_url": "https://lots-project.com/site/2a2e676f646164647973697465732e636f6d", "scraped_at": "2026-06-16T11:58:03Z" }, { "website": "*.weebly.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Weebly", "phishing": "Weebly allows users to create a customized subdomain on weebly.com. Attackers abuse this functionality by hosting phishing websites.", "command_and_control": "Attackers can use *.weebly.com and C&C servers.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/520782/0/html", "created": "2021-11-14", "last_update": "2021-11-14", "credits": "mattdep_", "detail_path": "/site/2a2e776565626c792e636f6d", "detail_slug": "2a2e776565626c792e636f6d", "detail_url": "https://lots-project.com/site/2a2e776565626c792e636f6d", "scraped_at": "2026-06-16T11:58:04Z" }, { "website": "www.canva.com", "tags": [ "Phishing" ], "service_provider": "Canva", "phishing": "Attackers have abused Canva by creating a custom image with embedded links that redirects targets to malicious a domain.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/520209/0/html", "created": "2021-11-14", "last_update": "2021-11-14", "credits": "mattdep_", "detail_path": "/site/7777772e63616e76612e636f6d", "detail_slug": "7777772e63616e76612e636f6d", "detail_url": "https://lots-project.com/site/7777772e63616e76612e636f6d", "scraped_at": "2026-06-16T11:58:04Z" }, { "website": "t.co", "tags": [ "Phishing", "C&C" ], "service_provider": "Twitter", "phishing": "Attackers can use Twitter's short URL to masquerade their domain name and then send the shortened link to their targets. Twitter attempts to prevent abuse of their shortened URL by scanning domains being shortened.", "command_and_control": "Twitter's shortened URL, t.co, can be used for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2021-11-15", "last_update": "2021-11-15", "credits": "@originalesushi", "detail_path": "/site/742e636f", "detail_slug": "742e636f", "detail_url": "https://lots-project.com/site/742e636f", "scraped_at": "2026-06-16T11:58:04Z" }, { "website": "*.mybluemix.net", "tags": [ "Phishing", "Download", "C&C" ], "service_provider": "IBM", "phishing": "Attackers can use *.mybluemix.net to host their phishing websites. They can be used for credential harvesting or redirecting users to a malicious websites.", "command_and_control": "Attackers can use *.mybluemix.net for C&C purposes.", "exfiltration": "None", "download": "Malicious tools can be stored on *.mybluemix.net and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/483345/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Pon", "detail_path": "/site/2a2e6d79626c75656d69782e6e6574", "detail_slug": "2a2e6d79626c75656d69782e6e6574", "detail_url": "https://lots-project.com/site/2a2e6d79626c75656d69782e6e6574", "scraped_at": "2026-06-16T11:58:05Z" }, { "website": "appdomain.cloud", "tags": [ "Phishing", "Download", "C&C", "Exfiltration" ], "service_provider": "IBM", "phishing": "Attackers can use a *.appdomain.cloud subdomain to host their phishing websites. They can be used for credential harvesting or redirecting users to a malicious websites.", "command_and_control": "Attackers can use *.appdomain.cloud for C&C purposes.", "exfiltration": "Attackers can use *.appdomain.cloud as storage and upload exfiltrated files there.", "download": "Malicious tools can be stored on *.appdomain.cloud and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/496810/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Pon", "detail_path": "/site/617070646f6d61696e2e636c6f7564", "detail_slug": "617070646f6d61696e2e636c6f7564", "detail_url": "https://lots-project.com/site/617070646f6d61696e2e636c6f7564", "scraped_at": "2026-06-16T11:58:05Z" }, { "website": "archive.org", "tags": [ "Phishing", "Download" ], "service_provider": "Archive.org", "phishing": "Attackers can create a phishing website and then use archive.org to hide their domain.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be uploaded on archive.org and then downloaded when needed.", "sample_url": "https://www.joesandbox.com/analysis/447280/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "mattdep_ , Rajan Christian - @thecybermafia, IJ Puzon - @IJPuzon", "detail_path": "/site/617263686976652e6f7267", "detail_slug": "617263686976652e6f7267", "detail_url": "https://lots-project.com/site/617263686976652e6f7267", "scraped_at": "2026-06-16T11:58:06Z" }, { "website": "spark.adobe.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Adobe", "phishing": "Attackers can use spark.adobe.com to create websites with embedded links that redirect target users to malicious websites.", "command_and_control": "Attackers can use spark.adobe.com for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/515360/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "@burgerelement, @smarr311, @umairq_", "detail_path": "/site/737061726b2e61646f62652e636f6d", "detail_slug": "737061726b2e61646f62652e636f6d", "detail_url": "https://lots-project.com/site/737061726b2e61646f62652e636f6d", "scraped_at": "2026-06-16T11:58:06Z" }, { "website": "*.atlassian.net", "tags": [ "Phishing", "C&C" ], "service_provider": "Atlassian", "phishing": "Attackers can use a *.atlassian.net subdomain that contains embedded links to redirect users to malicious websites.", "command_and_control": "Attackers can use *.atlassian.net for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/465095/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "r0lan @yeyint_mth", "detail_path": "/site/2a2e61746c61737369616e2e6e6574", "detail_slug": "2a2e61746c61737369616e2e6e6574", "detail_url": "https://lots-project.com/site/2a2e61746c61737369616e2e6e6574", "scraped_at": "2026-06-16T11:58:06Z" }, { "website": "dogechain.info", "tags": [ "C&C" ], "service_provider": "Dogechain.info", "phishing": "None", "command_and_control": "The Doki malware has abused dogechain.info API for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.zdnet.com/article/new-linux-malware-uses-dogecoin-api-to-find-c-c-server-addresses/", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Lior Adar", "detail_path": "/site/646f6765636861696e2e696e666f", "detail_slug": "646f6765636861696e2e696e666f", "detail_url": "https://lots-project.com/site/646f6765636861696e2e696e666f", "scraped_at": "2026-06-16T11:58:07Z" }, { "website": "paste.ee", "tags": [ "C&C", "Exfiltration", "Download" ], "service_provider": "Paste.ee", "phishing": "None", "command_and_control": "Paste.ee can be used for C&C purposes. The attacker can place the commands in Paste.ee and have the malware fetch the commands.", "exfiltration": "Attackers will upload sensitive data onto Paste.ee and share the link with themselves for later access.", "download": "Attackers upload the source code of tools onto Paste.ee and download them when necessary.", "sample_url": "https://www.gdatasoftware.com/blog/netwire-rat-via-pasteee-and-ms-excel", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Lior Adar", "detail_path": "/site/70617374652e6565", "detail_slug": "70617374652e6565", "detail_url": "https://lots-project.com/site/70617374652e6565", "scraped_at": "2026-06-16T11:58:07Z" }, { "website": "gitee.com", "tags": [ "C&C", "Download" ], "service_provider": "Gitee.com", "phishing": "None", "command_and_control": "Similiar to Github, Gitee.com can have files uploaded with commands and have the malware fetch those commands.", "exfiltration": "None", "download": "Attackers upload tools onto Gitee.com and download them when needed.", "sample_url": "", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Lior Adar", "detail_path": "/site/67697465652e636f6d", "detail_slug": "67697465652e636f6d", "detail_url": "https://lots-project.com/site/67697465652e636f6d", "scraped_at": "2026-06-16T11:58:08Z" }, { "website": "*.rf.gd", "tags": [ "Phishing", "C&C" ], "service_provider": "InfinityFree", "phishing": "Attackers can use a *.rf.gd subdomain to host their phishing websites.", "command_and_control": "Attackers can use *.rf.gd for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/393127/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Thaddeus Toledo", "detail_path": "/site/2a2e72662e6764", "detail_slug": "2a2e72662e6764", "detail_url": "https://lots-project.com/site/2a2e72662e6764", "scraped_at": "2026-06-16T11:58:08Z" }, { "website": "viewer.joomag.com", "tags": [ "Phishing" ], "service_provider": "Joomag", "phishing": "Attackers can use viewer.joomag.com to create digital content which contains embedded links to malicious websites.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/498354/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "@smarr311", "detail_path": "/site/7669657765722e6a6f6f6d61672e636f6d", "detail_slug": "7669657765722e6a6f6f6d61672e636f6d", "detail_url": "https://lots-project.com/site/7669657765722e6a6f6f6d61672e636f6d", "scraped_at": "2026-06-16T11:58:08Z" }, { "website": "my.visme.co", "tags": [ "Phishing" ], "service_provider": "Visme", "phishing": "Attackers can use my.visme.co to create digital content which contains embedded links to malicious websites.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/467704/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "@smarr311", "detail_path": "/site/6d792e7669736d652e636f", "detail_slug": "6d792e7669736d652e636f", "detail_url": "https://lots-project.com/site/6d792e7669736d652e636f", "scraped_at": "2026-06-16T11:58:09Z" }, { "website": "archive.ph", "tags": [ "Phishing", "Download" ], "service_provider": "Archive.ph", "phishing": "Attackers can create a phishing website and then use archive.ph to hide their domain.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be uploaded on archive.ph and then downloaded when needed.", "sample_url": "", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Rajan Christian - @thecybermafia", "detail_path": "/site/617263686976652e7068", "detail_slug": "617263686976652e7068", "detail_url": "https://lots-project.com/site/617263686976652e7068", "scraped_at": "2026-06-16T11:58:09Z" }, { "website": "docsend.com", "tags": [ "Phishing" ], "service_provider": "Docsend", "phishing": "Attackers can use Docsend to phish users and redirect them malicious domains.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/524724/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Tas - @tas_kmanager", "detail_path": "/site/646f6373656e642e636f6d", "detail_slug": "646f6373656e642e636f6d", "detail_url": "https://lots-project.com/site/646f6373656e642e636f6d", "scraped_at": "2026-06-16T11:58:09Z" }, { "website": "*.nimbusweb.me", "tags": [ "Phishing" ], "service_provider": "Nimbus Note", "phishing": "Attackers can use *.nimbusweb.me to share notes that contain embedded links to malicious websites.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/467104/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Tas - @tas_kmanager", "detail_path": "/site/2a2e6e696d6275737765622e6d65", "detail_slug": "2a2e6e696d6275737765622e6d65", "detail_url": "https://lots-project.com/site/2a2e6e696d6275737765622e6d65", "scraped_at": "2026-06-16T11:58:10Z" }, { "website": "*.oraclecloud.com", "tags": [ "Phishing", "Exfiltration", "Download", "C&C" ], "service_provider": "Oracle", "phishing": "Attackers can use a *.oraclecloud.com subdomain to host their phishing websites.", "command_and_control": "Attackers can use *.oraclecloud.com for C&C purposes.", "exfiltration": "Attackers can use Oracle Object Storage to upload exfiltrated files there.", "download": "Attackers can store malicious tools on Oracle Object Storage and download them when needed.", "sample_url": "https://www.joesandbox.com/analysis/499112/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Tas - @tas_kmanager", "detail_path": "/site/2a2e6f7261636c65636c6f75642e636f6d", "detail_slug": "2a2e6f7261636c65636c6f75642e636f6d", "detail_url": "https://lots-project.com/site/2a2e6f7261636c65636c6f75642e636f6d", "scraped_at": "2026-06-16T11:58:10Z" }, { "website": "*.azurefd.net", "tags": [ "Phishing", "C&C" ], "service_provider": "Microsoft", "phishing": "Attackers can use a subdomain from Azure Front Door (*.azurefd.net) to host their phishing websites.", "command_and_control": "Attackers can use *.azurefd.net for C&C purposes.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/524563/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "@Nighsliv", "detail_path": "/site/2a2e617a75726566642e6e6574", "detail_slug": "2a2e617a75726566642e6e6574", "detail_url": "https://lots-project.com/site/2a2e617a75726566642e6e6574", "scraped_at": "2026-06-16T11:58:11Z" }, { "website": "parg.co", "tags": [ "Phishing", "Download" ], "service_provider": "Parg.co", "phishing": "Attackers can use the URL shortener, parg.co, to masquerade their domain name and send the shortened link to their targets.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on an attacker's domain and then have the URL shortened. When the tools are needed, the shortened URL is used to download the tools.", "sample_url": "https://www.joesandbox.com/analysis/282950/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Isaiah James Puzon - @IJPuzon", "detail_path": "/site/706172672e636f", "detail_slug": "706172672e636f", "detail_url": "https://lots-project.com/site/706172672e636f", "scraped_at": "2026-06-16T11:58:11Z" }, { "website": "*.ngrok.io", "tags": [ "Phishing", "C&C", "Exfiltration", "Download" ], "service_provider": "Ngrok", "phishing": "Attackers can use a subdomain hosted on *.ngrok.io to host their phishing website.", "command_and_control": "Attackers can use *.ngrok.io for C&C purposes.", "exfiltration": "Attackers can upload files on websites hosted on *.ngrok.io.", "download": "Malicious tools can be stored on an attacker's domain and then have it hidden behind *.ngrok.io and used to download files when needed.", "sample_url": "https://www.joesandbox.com/analysis/308696/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "umairq_", "detail_path": "/site/2a2e6e67726f6b2e696f", "detail_slug": "2a2e6e67726f6b2e696f", "detail_url": "https://lots-project.com/site/2a2e6e67726f6b2e696f", "scraped_at": "2026-06-16T11:58:11Z" }, { "website": "codepen.io", "tags": [ "C&C", "Download" ], "service_provider": "CodePen", "phishing": "None", "command_and_control": "Attackers can use codepen.io to execute JavaScript and establish a websocket connection to a remote C&C server. An example is available thanks to @fkadibs: https://codepen.io/fkadibs/pen/KKvrZGq", "exfiltration": "None", "download": "Attackers can use codepen.io to download malicious tools. Although the attacker cannot download binaries directly, one method of doing so is by first base64 encoding the binary then adding it to the HTML section of a pen and then downloading decoding the binary.", "sample_url": "", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "@fkadibs", "detail_path": "/site/636f646570656e2e696f", "detail_slug": "636f646570656e2e696f", "detail_url": "https://lots-project.com/site/636f646570656e2e696f", "scraped_at": "2026-06-16T11:58:12Z" }, { "website": "pastetext.net", "tags": [ "Download" ], "service_provider": "Pastetext.net", "phishing": "None", "command_and_control": "None", "exfiltration": "None", "download": "Attackers upload the source code of tools onto pastetext.net and download them when necessary.", "sample_url": "https://twitter.com/pr0xylife/status/1439897347757121540", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "Nadav Lorber (https://twitter.com/LNadav)", "detail_path": "/site/7061737465746578742e6e6574", "detail_slug": "7061737465746578742e6e6574", "detail_url": "https://lots-project.com/site/7061737465746578742e6e6574", "scraped_at": "2026-06-16T11:58:12Z" }, { "website": "notion.so", "tags": [ "Phishing", "C&C", "Exfiltration", "Download" ], "service_provider": "Notion.so", "phishing": "Attackers can use notion.so to share files with embedded malicious links or documents", "command_and_control": "Attackers can use notion.so for C&C purposes. OffensiveNotion is an open-source tool that utilizes notion.so for C&C.", "exfiltration": "Attackers can use notion.so for to exfiltrate data. OffensiveNotion is an open-source tool that can use notion.so to exfiltrate data.", "download": "Attackers can use notion.so for to download files. OffensiveNotion is an open-source tool that can use notion.so to download files.", "sample_url": "https://github.com/mttaggart/OffensiveNotion", "created": "2021-11-21", "last_update": "2022-03-27", "credits": "Michael Taggart - @mttaggart", "detail_path": "/site/6e6f74696f6e2e736f", "detail_slug": "6e6f74696f6e2e736f", "detail_url": "https://lots-project.com/site/6e6f74696f6e2e736f", "scraped_at": "2026-06-16T11:58:12Z" }, { "website": "*.wixsite.com", "tags": [ "Phishing" ], "service_provider": "Wix", "phishing": "Attackers can use a subdomain hosted on *.wixsite.com to host their phishing website.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/509353/0/html", "created": "2021-11-21", "last_update": "2021-11-21", "credits": "mattdep_", "detail_path": "/site/2a2e776978736974652e636f6d", "detail_slug": "2a2e776978736974652e636f6d", "detail_url": "https://lots-project.com/site/2a2e776978736974652e636f6d", "scraped_at": "2026-06-16T11:58:13Z" }, { "website": "attachment.outlook.live.net", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Microsoft", "phishing": "Attackers can compose an email, attach a file and use the direct download link to phish users. The caveat with using this method is the phishing link expires in approximately 15 minutes.", "command_and_control": "None", "exfiltration": "Attackers can compose an email, attach file(s) to exfiltrate and send the download link to themselves. This method is not ideal for large files due to the file size restriction in place.", "download": "Attackers can compose an email on Outlook and attach a file and then use the file's download link to directly download the file. Restricted file types would first need to have their file extension modified (e.g. mimikatz.exe becomes mimikatz.exe.txt) and then upon download the file extension is modified back to the original extension.", "sample_url": "https://twitter.com/mrd0x/status/1462852381830524931", "created": "2021-11-22", "last_update": "2021-11-22", "credits": "mr.d0x, @JohnnyCiocca, @ryanlevier", "detail_path": "/site/6174746163686d656e742e6f75746c6f6f6b2e6c6976652e6e6574", "detail_slug": "6174746163686d656e742e6f75746c6f6f6b2e6c6976652e6e6574", "detail_url": "https://lots-project.com/site/6174746163686d656e742e6f75746c6f6f6b2e6c6976652e6e6574", "scraped_at": "2026-06-16T11:58:13Z" }, { "website": "attachments.office.net", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Microsoft", "phishing": "Attackers can compose an email, attach a file and use the direct download link to phish users. The caveat with using this method is the phishing link expires in approximately 15 minutes.", "command_and_control": "None", "exfiltration": "Attackers can compose an email, attach file(s) to exfiltrate and send the download link to themselves. This method is not ideal for large files due to the file size restriction in place.", "download": "Attackers can compose an email on O365 and attach a file and then use the file's download link to directly download the file. Restricted file types would first need to have their file extension modified (e.g. mimikatz.exe becomes mimikatz.exe.txt) and then upon download the file extension is modified back to the original extension.", "sample_url": "https://twitter.com/mrd0x/status/1462852381830524931", "created": "2021-11-22", "last_update": "2021-11-22", "credits": "mr.d0x, @JohnnyCiocca, @ryanlevier", "detail_path": "/site/6174746163686d656e74732e6f66666963652e6e6574", "detail_slug": "6174746163686d656e74732e6f66666963652e6e6574", "detail_url": "https://lots-project.com/site/6174746163686d656e74732e6f66666963652e6e6574", "scraped_at": "2026-06-16T11:58:14Z" }, { "website": "lnkd.in", "tags": [ "Phishing", "Download" ], "service_provider": "Microsoft", "phishing": "Attackers can use LinkedIn's short URL to masquerade their domain name and then send the shortened link to their targets.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on an attacker's domain and then have the URL shortened. When the tools are needed, the shortened URL is used to download the tools.", "sample_url": "https://www.joesandbox.com/analysis/524661/0/html", "created": "2021-11-23", "last_update": "2021-12-15", "credits": "@BushidoToken", "detail_path": "/site/6c6e6b642e696e", "detail_slug": "6c6e6b642e696e", "detail_url": "https://lots-project.com/site/6c6e6b642e696e", "scraped_at": "2026-06-16T11:58:14Z" }, { "website": "*.myportfolio.com", "tags": [ "Phishing" ], "service_provider": "Adobe", "phishing": "Attackers can use a personalized subdomain from myportfolio.com to create a phishing page with embedded links that leads to malicious domains.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/517898/0/html", "created": "2021-11-23", "last_update": "2021-11-23", "credits": "@BushidoToken", "detail_path": "/site/2a2e6d79706f7274666f6c696f2e636f6d", "detail_slug": "2a2e6d79706f7274666f6c696f2e636f6d", "detail_url": "https://lots-project.com/site/2a2e6d79706f7274666f6c696f2e636f6d", "scraped_at": "2026-06-16T11:58:14Z" }, { "website": "*.notion.site", "tags": [ "Phishing", "Download" ], "service_provider": "Notion.so", "phishing": "Attackers can host a malicious file onto their notion page, make it public, and then share the download link of the file to target users. Note that Notion restricts certain file types.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can host a malicious file onto their notion page, make it public, and then use the download link to drop files onto a target machine.", "sample_url": "https://www.joesandbox.com/analysis/532127/0/html", "created": "2021-12-19", "last_update": "2022-01-20", "credits": "HuskyHacks", "detail_path": "/site/2a2e6e6f74696f6e2e73697465", "detail_slug": "2a2e6e6f74696f6e2e73697465", "detail_url": "https://lots-project.com/site/2a2e6e6f74696f6e2e73697465", "scraped_at": "2026-06-16T11:58:15Z" }, { "website": "*.wasabisys.com", "tags": [ "Phishing", "C&C", "Exfiltration", "Download" ], "service_provider": "Wasabi Technologies", "phishing": "Attackers can use *.wasabisys.com to host phishing templates.", "command_and_control": "Attackers can use *.wasabisys.com for C&C purposes.", "exfiltration": "Wasabisys' S3 storage capabilities can be used to store exfiltrated files on there.", "download": "Malicious tools can be stored on *.wasabisys.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/494841/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "mr.d0x", "detail_path": "/site/2a2e7761736162697379732e636f6d", "detail_slug": "2a2e7761736162697379732e636f6d", "detail_url": "https://lots-project.com/site/2a2e7761736162697379732e636f6d", "scraped_at": "2026-06-16T11:58:15Z" }, { "website": "rebrand.ly", "tags": [ "Phishing", "Download" ], "service_provider": "Rebrandly", "phishing": "Attackers can use the URL shortener, rebrand.ly, to masquerade their domain name and send the shortened link to their targets.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on an attacker's domain and then have the URL shortened. When the tools are needed, the shortened URL is used to download the tools.", "sample_url": "https://www.joesandbox.com/analysis/525322/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "Isaiah James Puzon - @IJPuzon", "detail_path": "/site/72656272616e642e6c79", "detail_slug": "72656272616e642e6c79", "detail_url": "https://lots-project.com/site/72656272616e642e6c79", "scraped_at": "2026-06-16T11:58:15Z" }, { "website": "rb.gy", "tags": [ "Phishing", "Download" ], "service_provider": "Rebrandly", "phishing": "Attackers can use the URL shortener, rb.gy, to masquerade their domain name and send the shortened link to their targets.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on an attacker's domain and then have the URL shortened. When the tools are needed, the shortened URL is used to download the tools.", "sample_url": "https://www.joesandbox.com/analysis/527289/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "Isaiah James Puzon - @IJPuzon", "detail_path": "/site/72622e6779", "detail_slug": "72622e6779", "detail_url": "https://lots-project.com/site/72622e6779", "scraped_at": "2026-06-16T11:58:16Z" }, { "website": "genius.com", "tags": [ "C&C" ], "service_provider": "Genius", "phishing": "None", "command_and_control": "Attackers are using genius.com for C&C purposes by posting commands in the biography section of user profiles.", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "redknight99 - Github", "detail_path": "/site/67656e6975732e636f6d", "detail_slug": "67656e6975732e636f6d", "detail_url": "https://lots-project.com/site/67656e6975732e636f6d", "scraped_at": "2026-06-16T11:58:16Z" }, { "website": "inmotionhosting.com", "tags": [ "Phishing", "C&C", "Exfiltration", "Download" ], "service_provider": "InMotion Hosting", "phishing": "Attackers can use *.inmotionhosting.com to host phishing websites.", "command_and_control": "Attackers can use servers hosted on *.inmotionhosting.com for C&C purposes.", "exfiltration": "Attackers can create web applications with upload functionalities hosted on *.inmotionhosting.com and exfiltrate data on there.", "download": "Attackers can host malicious tools on applications hosted on *.inmotionhosting.com and download them when needed.", "sample_url": "https://www.joesandbox.com/analysis/513058/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "MaxSmile - @MaxSmileChamp", "detail_path": "/site/696e6d6f74696f6e686f7374696e672e636f6d", "detail_slug": "696e6d6f74696f6e686f7374696e672e636f6d", "detail_url": "https://lots-project.com/site/696e6d6f74696f6e686f7374696e672e636f6d", "scraped_at": "2026-06-16T11:58:17Z" }, { "website": "stonly.com", "tags": [ "Phishing" ], "service_provider": "Stonly", "phishing": "Attackers have abused Stonly by creating custom pages with embedded links that redirect to phishing websites.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/533718/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@smarr311", "detail_path": "/site/73746f6e6c792e636f6d", "detail_slug": "73746f6e6c792e636f6d", "detail_url": "https://lots-project.com/site/73746f6e6c792e636f6d", "scraped_at": "2026-06-16T11:58:17Z" }, { "website": "*.csb.app", "tags": [ "Phishing" ], "service_provider": "CodeSandbox", "phishing": "Attackers can create phishing templates on *.csb.app and share the link with targets.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/497495/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@BushidoToken", "detail_path": "/site/2a2e6373622e617070", "detail_slug": "2a2e6373622e617070", "detail_url": "https://lots-project.com/site/2a2e6373622e617070", "scraped_at": "2026-06-16T11:58:17Z" }, { "website": "*.codesandbox.io", "tags": [ "Phishing" ], "service_provider": "CodeSandbox", "phishing": "Attackers can create phishing templates on *.codesandbox.io and share the link with targets.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/533441/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@BushidoToken", "detail_path": "/site/2a2e636f646573616e64626f782e696f", "detail_slug": "2a2e636f646573616e64626f782e696f", "detail_url": "https://lots-project.com/site/2a2e636f646573616e64626f782e696f", "scraped_at": "2026-06-16T11:58:18Z" }, { "website": "*.000webhostapp.com", "tags": [ "Phishing", "C&C", "Exfiltration", "Download" ], "service_provider": "Hostinger", "phishing": "Attackers can use *.000webhostapp.com to host phishing websites.", "command_and_control": "Attackers have used *.000webhostapp.com domains for C&C purposes.", "exfiltration": "Attackers can exfiltrate files onto *.000webhostapp.com via file manager capabilities.", "download": "Malicious tools can be stored on *.000webhostapp.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/339155/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@BushidoToken", "detail_path": "/site/2a2e303030776562686f73746170702e636f6d", "detail_slug": "2a2e303030776562686f73746170702e636f6d", "detail_url": "https://lots-project.com/site/2a2e303030776562686f73746170702e636f6d", "scraped_at": "2026-06-16T11:58:18Z" }, { "website": "*.hostingerapp.com", "tags": [ "Phishing", "C&C", "Exfiltration", "Download" ], "service_provider": "Hostinger", "phishing": "Attackers can use *.hostingerapp.com to host phishing websites.", "command_and_control": "Attackers have used *.hostingerapp.com domains for C&C purposes.", "exfiltration": "Attackers can exfiltrate files onto *.hostingerapp.com via file manager capabilities.", "download": "Malicious tools can be stored on *.hostingerapp.com and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/380310/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@BushidoToken", "detail_path": "/site/2a2e686f7374696e6765726170702e636f6d", "detail_slug": "2a2e686f7374696e6765726170702e636f6d", "detail_url": "https://lots-project.com/site/2a2e686f7374696e6765726170702e636f6d", "scraped_at": "2026-06-16T11:58:18Z" }, { "website": "feedproxy.google.com", "tags": [ "Phishing" ], "service_provider": "Google", "phishing": "Attackers can use feedproxy.google.com to redirect targets to a malicious domain.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/505859/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@BushidoToken", "detail_path": "/site/6665656470726f78792e676f6f676c652e636f6d", "detail_slug": "6665656470726f78792e676f6f676c652e636f6d", "detail_url": "https://lots-project.com/site/6665656470726f78792e676f6f676c652e636f6d", "scraped_at": "2026-06-16T11:58:19Z" }, { "website": "*.pagecloud.com", "tags": [ "Phishing" ], "service_provider": "PageCloud", "phishing": "Attackers can use *.pagecloud.com to create a phishing page with embedded links that redirects users to a malicious site or downloads a malicious file.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/423120/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@BushidoToken", "detail_path": "/site/2a2e70616765636c6f75642e636f6d", "detail_slug": "2a2e70616765636c6f75642e636f6d", "detail_url": "https://lots-project.com/site/2a2e70616765636c6f75642e636f6d", "scraped_at": "2026-06-16T11:58:19Z" }, { "website": "*.format.com", "tags": [ "Phishing" ], "service_provider": "Format", "phishing": "Attackers can use *.format.com to create a phishing page with embedded links that redirects users to a malicious site or downloads a malicious file.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/416730/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@BushidoToken", "detail_path": "/site/2a2e666f726d61742e636f6d", "detail_slug": "2a2e666f726d61742e636f6d", "detail_url": "https://lots-project.com/site/2a2e666f726d61742e636f6d", "scraped_at": "2026-06-16T11:58:20Z" }, { "website": "s.id", "tags": [ "Phishing", "Download" ], "service_provider": "s.id", "phishing": "Attackers can use the URL shortener, s.id, to masquerade their domain name and send the shortened link to their targets.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on an attacker's domain and then have the URL shortened. When the tools are needed, the shortened URL is used to download the tools.", "sample_url": "https://www.joesandbox.com/analysis/517911/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@BushidoToken", "detail_path": "/site/732e6964", "detail_slug": "732e6964", "detail_url": "https://lots-project.com/site/732e6964", "scraped_at": "2026-06-16T11:58:20Z" }, { "website": "doc.clickup.com", "tags": [ "Phishing" ], "service_provider": "ClickUp", "phishing": "Attackers can use doc.clickup.com to create a phishing page with embedded links or attachments.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/513883/0/html", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@BushidoToken", "detail_path": "/site/646f632e636c69636b75702e636f6d", "detail_slug": "646f632e636c69636b75702e636f6d", "detail_url": "https://lots-project.com/site/646f632e636c69636b75702e636f6d", "scraped_at": "2026-06-16T11:58:20Z" }, { "website": "ufile.io", "tags": [ "Phishing", "Exfiltration", "Download" ], "service_provider": "Ufile", "phishing": "Malicious files can be uploaded on ufile.io and then have the direct link shared with targets in phishing attacks.", "command_and_control": "None", "exfiltration": "Attackers can upload data to ufile.io and share the link to themselves to download the exfiltrated data.", "download": "Attackers can keep their tools stored on ufile.io and when required, use the direct download link to fetch the tools.", "sample_url": "", "created": "2021-12-19", "last_update": "2021-12-19", "credits": "@BushidoToken", "detail_path": "/site/7566696c652e696f", "detail_slug": "7566696c652e696f", "detail_url": "https://lots-project.com/site/7566696c652e696f", "scraped_at": "2026-06-16T11:58:21Z" }, { "website": "onenoteonlinesync.onenote.com", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Microsoft", "phishing": "Attackers can insert an attachment on a OneNote Notebook and then use the attachment's direct download link to phish users.", "command_and_control": "None", "exfiltration": "Attackers can insert files they wish to exfiltrate on a OneNote Notebook and send the direct download link to themselves. This method is not ideal for large files due to the file size restriction in place.", "download": "Attackers can insert an attachment on a OneNote Notebook and then use the attachment's download link to directly download the file.", "sample_url": "https://twitter.com/mrd0x/status/1475085452784844803", "created": "2021-12-26", "last_update": "2021-12-26", "credits": "mr.d0x", "detail_path": "/site/6f6e656e6f74656f6e6c696e6573796e632e6f6e656e6f74652e636f6d", "detail_slug": "6f6e656e6f74656f6e6c696e6573796e632e6f6e656e6f74652e636f6d", "detail_url": "https://lots-project.com/site/6f6e656e6f74656f6e6c696e6573796e632e6f6e656e6f74652e636f6d", "scraped_at": "2026-06-16T11:58:21Z" }, { "website": "12ft.io", "tags": [ "Phishing" ], "service_provider": "12ft.io", "phishing": "Attackers can use 12ft.io to masquerade their domain for phishing purposes. The URL will have the following structure: 12ft.io/proxy?q=phishing-site[.]com", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://twitter.com/mrd0x/status/1475645195874185216", "created": "2021-12-27", "last_update": "2021-12-27", "credits": "mr.d0x", "detail_path": "/site/313266742e696f", "detail_slug": "313266742e696f", "detail_url": "https://lots-project.com/site/313266742e696f", "scraped_at": "2026-06-16T11:58:21Z" }, { "website": "*.doubleclick.net", "tags": [ "Phishing", "Download" ], "service_provider": "Google", "phishing": "Attackers can use *.doubleclick.net to redirect targets to a malicious domain.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can use *.doubleclick.net to masquerade a direct download link.", "sample_url": "https://www.joesandbox.com/analysis/484852/0/html", "created": "2021-12-29", "last_update": "2021-12-29", "credits": "mr.d0x", "detail_path": "/site/2a2e646f75626c65636c69636b2e6e6574", "detail_slug": "2a2e646f75626c65636c69636b2e6e6574", "detail_url": "https://lots-project.com/site/2a2e646f75626c65636c69636b2e6e6574", "scraped_at": "2026-06-16T11:58:22Z" }, { "website": "t.m1.email.samsung.com", "tags": [ "Phishing", "Download" ], "service_provider": "Samsung", "phishing": "Attackers can use t.m1.email.samsung.com to redirect targets to a malicious domain. The format of the link would be as follows: https://t.m1.email.samsung.com/r/?id=hdbbbab34,71b0ad58,6b55baa5&p1=[phishing-link]", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can use t.m1.email.samsung.com to masquerade a direct download link.", "sample_url": "https://www.joesandbox.com/analysis/545632/0/html", "created": "2021-12-29", "last_update": "2021-12-29", "credits": "mr.d0x", "detail_path": "/site/742e6d312e656d61696c2e73616d73756e672e636f6d", "detail_slug": "742e6d312e656d61696c2e73616d73756e672e636f6d", "detail_url": "https://lots-project.com/site/742e6d312e656d61696c2e73616d73756e672e636f6d", "scraped_at": "2026-06-16T11:58:22Z" }, { "website": "*.repl.co", "tags": [ "Phishing", "C&C", "Exfiltration", "Download" ], "service_provider": "Replit", "phishing": "Attackers can use *.repl.co to host their phishing websites.", "command_and_control": "Attackers can use a customized subdomain of repl.co as their C&C server.", "exfiltration": "Attackers can add upload functionalities hosted on *.repl.co and exfiltrate data on there.", "download": "Attackers can host their malicious tools on an external provider and then use *.repl.co to fetch the files.", "sample_url": "https://www.joesandbox.com/analysis/487279/0/html", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "Anonymous", "detail_path": "/site/2a2e7265706c2e636f", "detail_slug": "2a2e7265706c2e636f", "detail_url": "https://lots-project.com/site/2a2e7265706c2e636f", "scraped_at": "2026-06-16T11:58:23Z" }, { "website": "teletype.in", "tags": [ "Phishing" ], "service_provider": "Teletype", "phishing": "Attackers can use teletype.in to create a phishing page with embedded links that redirects users to a malicious site or downloads a malicious file.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.hybrid-analysis.com/sample/b897d347e9fa7f668b0c15069360d6a5846bb6a22744891ff6cef7c0a8026561/60041f6f7ad0392bd82aab6f", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "Anonymous", "detail_path": "/site/74656c65747970652e696e", "detail_slug": "74656c65747970652e696e", "detail_url": "https://lots-project.com/site/74656c65747970652e696e", "scraped_at": "2026-06-16T11:58:23Z" }, { "website": "*.easywp.com", "tags": [ "Phishing" ], "service_provider": "EasyWP", "phishing": "Attackers can use *.easywp.com to create a phishing page with embedded links that redirects users to a malicious site or downloads a malicious file.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/545565/0/html", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "Anonymous", "detail_path": "/site/2a2e6561737977702e636f6d", "detail_slug": "2a2e6561737977702e636f6d", "detail_url": "https://lots-project.com/site/2a2e6561737977702e636f6d", "scraped_at": "2026-06-16T11:58:23Z" }, { "website": "telegra.ph", "tags": [ "Phishing" ], "service_provider": "Telegraph", "phishing": "Attackers can use telegra.ph to create a phishing page with embedded links that redirects users to a malicious site or downloads a malicious file.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/244952/0/html", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "Anonymous", "detail_path": "/site/74656c656772612e7068", "detail_slug": "74656c656772612e7068", "detail_url": "https://lots-project.com/site/74656c656772612e7068", "scraped_at": "2026-06-16T11:58:24Z" }, { "website": "filebin.net", "tags": [ "Phishing", "Exfiltration", "Download" ], "service_provider": "Filebin", "phishing": "Attackers can upload malicious files to filebin.net and share the direct download link to users.", "command_and_control": "None", "exfiltration": "Attackers can upload data to filebin.net and share the link to themselves to download the exfiltrated data. Requires GUI access.", "download": "Attackers can keep their tools stored on filebin.net and when required, use the custom link to download.", "sample_url": "https://www.joesandbox.com/analysis/285132/0/html", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "Adithya - @ravooriadithya", "detail_path": "/site/66696c6562696e2e6e6574", "detail_slug": "66696c6562696e2e6e6574", "detail_url": "https://lots-project.com/site/66696c6562696e2e6e6574", "scraped_at": "2026-06-16T11:58:24Z" }, { "website": "*.fyi.to", "tags": [ "Phishing" ], "service_provider": "FYI.to", "phishing": "Attackers can use *.fyi.to to share malicious links with target users.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "Anonymous", "detail_path": "/site/2a2e6679692e746f", "detail_slug": "2a2e6679692e746f", "detail_url": "https://lots-project.com/site/2a2e6679692e746f", "scraped_at": "2026-06-16T11:58:24Z" }, { "website": "nt.embluemail.com", "tags": [ "Phishing", "Download" ], "service_provider": "emBlue", "phishing": "Attackers can use nt.embluemail.com's open redirect to redirect users to malicious domains.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can use nt.embluemail.com's open redirect to masquerade their malicious download link.", "sample_url": "https://www.joesandbox.com/analysis/523131/0/html", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "Adithya - @ravooriadithya", "detail_path": "/site/6e742e656d626c75656d61696c2e636f6d", "detail_slug": "6e742e656d626c75656d61696c2e636f6d", "detail_url": "https://lots-project.com/site/6e742e656d626c75656d61696c2e636f6d", "scraped_at": "2026-06-16T11:58:25Z" }, { "website": "transfer.sh", "tags": [ "Phishing", "Exfiltration", "Download" ], "service_provider": "Transfer.sh", "phishing": "Attackers can upload malicious files to transfer.sh and share the direct download link to users.", "command_and_control": "None", "exfiltration": "Attackers can exfiltrate data using transfer.sh either using the command line or through uploading files and sharing the link to themselves to download the exfiltrated data.", "download": "Attackers can keep their tools stored on transfer.sh and when required, use the custom link to download.", "sample_url": "https://www.joesandbox.com/analysis/456029/0/html", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "Adithya -@ravooriadithya", "detail_path": "/site/7472616e736665722e7368", "detail_slug": "7472616e736665722e7368", "detail_url": "https://lots-project.com/site/7472616e736665722e7368", "scraped_at": "2026-06-16T11:58:25Z" }, { "website": "ct.sendgrid.net", "tags": [ "Phishing", "Download" ], "service_provider": "SendGrid", "phishing": "Attackers can use ct.sendgrid.net's open redirect to redirect users to malicious domains.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can use ct.sendgrid.net's open redirect to masquerade their malicious download link.", "sample_url": "https://www.joesandbox.com/analysis/554979/0/html", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "Adithya - @ravooriadithya, Joul Kouchakji - @Jouliok", "detail_path": "/site/63742e73656e64677269642e6e6574", "detail_slug": "63742e73656e64677269642e6e6574", "detail_url": "https://lots-project.com/site/63742e73656e64677269642e6e6574", "scraped_at": "2026-06-16T11:58:26Z" }, { "website": "nethunt.com", "tags": [ "Phishing" ], "service_provider": "NetHunt", "phishing": "Attackers can use nethunt.com to create phishing pages for credential harvesting.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://urlscan.io/result/be3e8679-6e81-453b-a5b5-c61734dc8af1/", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "@rymcvicar", "detail_path": "/site/6e657468756e742e636f6d", "detail_slug": "6e657468756e742e636f6d", "detail_url": "https://lots-project.com/site/6e657468756e742e636f6d", "scraped_at": "2026-06-16T11:58:26Z" }, { "website": "trello.com", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Trello", "phishing": "Attackers can upload malicious files to Trello, make it public, and share the direct download link of the file with target users. More information: https://twitter.com/_theVIVI/status/1483957453578510344", "command_and_control": "None", "exfiltration": "Attackers can upload files to Trello and share the direct download link to themselves to download the exfiltrated data.", "download": "Attackers can upload malicious files to Trello and use the direct download link to drop files on a target machine.", "sample_url": "", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "Gabriel Mathenge - @_theVIVI", "detail_path": "/site/7472656c6c6f2e636f6d", "detail_slug": "7472656c6c6f2e636f6d", "detail_url": "https://lots-project.com/site/7472656c6c6f2e636f6d", "scraped_at": "2026-06-16T11:58:26Z" }, { "website": "evernote.com", "tags": [ "Phishing", "Exfiltration", "Download" ], "service_provider": "Evernote", "phishing": "Attackers can upload malicious files to evernote and share the direct download link of the file with target users.", "command_and_control": "None", "exfiltration": "Attackers can upload files to Evernote and share the direct download link to themselves to download the exfiltrated data.", "download": "Attackers can upload malicious files to Evernote and use the direct download link to drop files on a target machine.", "sample_url": "https://www.joesandbox.com/analysis/501613/0/html", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "@lpha3ch0", "detail_path": "/site/657665726e6f74652e636f6d", "detail_slug": "657665726e6f74652e636f6d", "detail_url": "https://lots-project.com/site/657665726e6f74652e636f6d", "scraped_at": "2026-06-16T11:58:27Z" }, { "website": "track.adform.net", "tags": [ "Phishing", "Download" ], "service_provider": "Adform", "phishing": "Attackers can use track.adform.net's open redirect to redirect users to malicious domains. Example: https://track.adform.net/C/?bn=35405429;cpdir=https://mrd0x.com", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can use track.adform.net's open redirect to masquerade their malicious download link.", "sample_url": "https://www.joesandbox.com/analysis/514456/0/html", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "mr.d0x", "detail_path": "/site/747261636b2e6164666f726d2e6e6574", "detail_slug": "747261636b2e6164666f726d2e6e6574", "detail_url": "https://lots-project.com/site/747261636b2e6164666f726d2e6e6574", "scraped_at": "2026-06-16T11:58:27Z" }, { "website": "*.xiti.com", "tags": [ "Phishing", "Download" ], "service_provider": "Xiti", "phishing": "Attackers can use *.xiti.com's open redirect to redirect users to malicious domains. Example: http://logi103.xiti.com/go.click?xts=410711&s2=20&p=booklet_radon&clic=T&type=click&url=https://mrd0x.com", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can use *.xiti.com's open redirect to masquerade their malicious download link.", "sample_url": "https://www.joesandbox.com/analysis/532868/0/html", "created": "2022-01-20", "last_update": "2022-01-20", "credits": "mr.d0x", "detail_path": "/site/2a2e786974692e636f6d", "detail_slug": "2a2e786974692e636f6d", "detail_url": "https://lots-project.com/site/2a2e786974692e636f6d", "scraped_at": "2026-06-16T11:58:27Z" }, { "website": "wtools.io", "tags": [ "Download" ], "service_provider": "WTOOLS", "phishing": "None", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can host their malicious code on wtools.io and when needed, the code can be downloaded.", "sample_url": "https://ish.com.br/blog/todas-as-etapas-de-um-ataque-fileless/", "created": "2022-01-21", "last_update": "2022-01-21", "credits": "@1ZRR4H", "detail_path": "/site/77746f6f6c732e696f", "detail_slug": "77746f6f6c732e696f", "detail_url": "https://lots-project.com/site/77746f6f6c732e696f", "scraped_at": "2026-06-16T11:58:28Z" }, { "website": "i.imgur.com", "tags": [ "Download" ], "service_provider": "Imgur", "phishing": "None", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can embed their malicious payload in image files and upload them onto Imgur. When the payload is required, the image is downloaded and the payload is extracted.", "sample_url": "https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload-from-imgur-pic/", "created": "2022-01-23", "last_update": "2022-01-23", "credits": "Adithya -@ravooriadithya", "detail_path": "/site/692e696d6775722e636f6d", "detail_slug": "692e696d6775722e636f6d", "detail_url": "https://lots-project.com/site/692e696d6775722e636f6d", "scraped_at": "2026-06-16T11:58:28Z" }, { "website": "workflowy.com", "tags": [ "Phishing" ], "service_provider": "WorkFlowy", "phishing": "Attackers can create a page on workflowy.com that contains embedded links which redirect users to malicious domains.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://twitter.com/1ZRR4H/status/1485764521021132810", "created": "2022-01-24", "last_update": "2022-01-24", "credits": "@1ZRR4H", "detail_path": "/site/776f726b666c6f77792e636f6d", "detail_slug": "776f726b666c6f77792e636f6d", "detail_url": "https://lots-project.com/site/776f726b666c6f77792e636f6d", "scraped_at": "2026-06-16T11:58:29Z" }, { "website": "*.mybluehost.me", "tags": [ "Phishing", "C&C", "Download", "Exfiltration" ], "service_provider": "Bluehost", "phishing": "Attackers can use a customized subdomain of mybluehost.me to host their phishing websites.", "command_and_control": "Attackers can use a customized subdomain of mybluehost.me as their C&C server.", "exfiltration": "Attackers can add upload functionalities hosted on *.mybluehost.me and exfiltrate data on there.", "download": "Malicious tools can be stored on *.mybluehost.me and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/302028/0/html", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "Adithya Ravoori - @ravooriadithya", "detail_path": "/site/2a2e6d79626c7565686f73742e6d65", "detail_slug": "2a2e6d79626c7565686f73742e6d65", "detail_url": "https://lots-project.com/site/2a2e6d79626c7565686f73742e6d65", "scraped_at": "2026-06-16T11:58:29Z" }, { "website": "*.ondigitalocean.app", "tags": [ "Phishing", "C&C" ], "service_provider": "DigitalOcean", "phishing": "Attackers can use a customized subdomain of ondigitalocean.app to host their phishing websites.", "command_and_control": "Attackers can use a customized subdomain of ondigitalocean.app as their C&C server.", "exfiltration": "None", "download": "None", "sample_url": "https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "US Signal", "detail_path": "/site/2a2e6f6e6469676974616c6f6365616e2e617070", "detail_slug": "2a2e6f6e6469676974616c6f6365616e2e617070", "detail_url": "https://lots-project.com/site/2a2e6f6e6469676974616c6f6365616e2e617070", "scraped_at": "2026-06-16T11:58:29Z" }, { "website": "*.axshare.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Axure", "phishing": "Attackers can use a customized subdomain of axshare.com to host their phishing websites.", "command_and_control": "Attackers can use a customized subdomain of axshare.com as their C&C server.", "exfiltration": "None", "download": "None", "sample_url": "https://urlscan.io/result/13911f76-1bf1-4994-8d04-47fc5d1acec2/", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "US Signal, Zachary Kelly - @Golgothus", "detail_path": "/site/2a2e617873686172652e636f6d", "detail_slug": "2a2e617873686172652e636f6d", "detail_url": "https://lots-project.com/site/2a2e617873686172652e636f6d", "scraped_at": "2026-06-16T11:58:30Z" }, { "website": "rentry.co", "tags": [ "Exfiltration", "C&C", "Download" ], "service_provider": "Rentry.co", "phishing": "None", "command_and_control": "rentry.co can be used for C&C purposes. The attacker will place commands on a rentry paste and have the malware fetch the commands.", "exfiltration": "Attackers will paste sensitive data onto rentry.co and share the link with themselves for later access.", "download": "Attackers upload the source code of tools onto rentry.co and download them when necessary.", "sample_url": "https://urlhaus.abuse.ch/url/254674/", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "@jsh0x", "detail_path": "/site/72656e7472792e636f", "detail_slug": "72656e7472792e636f", "detail_url": "https://lots-project.com/site/72656e7472792e636f", "scraped_at": "2026-06-16T11:58:30Z" }, { "website": "zerobin.net", "tags": [ "Exfiltration", "C&C", "Download" ], "service_provider": "ZeroBin", "phishing": "None", "command_and_control": "zerobin.net can be used for C&C purposes. The attacker will place commands on a zerobin paste and have the malware fetch the commands.", "exfiltration": "Attackers will upload sensitive files onto zerobin.net and share the link with themselves for later access.", "download": "Attackers upload the source code of tools onto zerobin.net and download them when necessary.", "sample_url": "", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "@jsh0x", "detail_path": "/site/7a65726f62696e2e6e6574", "detail_slug": "7a65726f62696e2e6e6574", "detail_url": "https://lots-project.com/site/7a65726f62696e2e6e6574", "scraped_at": "2026-06-16T11:58:30Z" }, { "website": "textbin.net", "tags": [ "Exfiltration", "C&C", "Download" ], "service_provider": "TextBin", "phishing": "None", "command_and_control": "textbin.net can be used for C&C purposes. The attacker will place commands on a textbin paste and have the malware fetch the commands.", "exfiltration": "Attackers will paste sensitive data onto textbin.net and share the link with themselves for later access.", "download": "Attackers upload the source code of tools onto textbin.net and download them when necessary.", "sample_url": "https://urlhaus.abuse.ch/host/textbin.net/", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "@jsh0x, abuse.ch - @abuse_ch", "detail_path": "/site/7465787462696e2e6e6574", "detail_slug": "7465787462696e2e6e6574", "detail_url": "https://lots-project.com/site/7465787462696e2e6e6574", "scraped_at": "2026-06-16T11:58:31Z" }, { "website": "ideone.com", "tags": [ "Exfiltration", "C&C", "Download" ], "service_provider": "Ideone.com", "phishing": "None", "command_and_control": "Commands can be entered on ideone.com and have malware fetch them.", "exfiltration": "Attackers will paste sensitive data onto ideone.com and share the link with themselves for later access.", "download": "Attackers can upload the source code of tools onto ideone.com and download them when necessary.", "sample_url": "https://www.joesandbox.com/analysis/196913/0/html", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "@jsh0x", "detail_path": "/site/6964656f6e652e636f6d", "detail_slug": "6964656f6e652e636f6d", "detail_url": "https://lots-project.com/site/6964656f6e652e636f6d", "scraped_at": "2026-06-16T11:58:31Z" }, { "website": "4sync.com", "tags": [ "Download" ], "service_provider": "4Sync", "phishing": "None", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on 4sync.com and downloaded when required.", "sample_url": "https://urlhaus.abuse.ch/browse.php?search=4sync.com", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "abuse.ch - abuse_ch", "detail_path": "/site/3473796e632e636f6d", "detail_slug": "3473796e632e636f6d", "detail_url": "https://lots-project.com/site/3473796e632e636f6d", "scraped_at": "2026-06-16T11:58:32Z" }, { "website": "pastebin.pl", "tags": [ "Exfiltration", "C&C", "Download" ], "service_provider": "Pastebin.pl", "phishing": "None", "command_and_control": "Commands can be entered on pastebin.pl and have malware fetch them.", "exfiltration": "Attackers will paste sensitive data onto pastebin.pl and share the link with themselves for later access.", "download": "Attackers can upload the source code of tools onto pastebin.pl and download them when necessary.", "sample_url": "https://urlhaus.abuse.ch/host/pastebin.pl/", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "abuse.ch - abuse_ch", "detail_path": "/site/706173746562696e2e706c", "detail_slug": "706173746562696e2e706c", "detail_url": "https://lots-project.com/site/706173746562696e2e706c", "scraped_at": "2026-06-16T11:58:32Z" }, { "website": "www.uplooder.net", "tags": [ "Phishing", "Download", "Exfiltration" ], "service_provider": "Uplooder", "phishing": "Attackers can upload malicious files on uplooder and share the download link with target users.", "command_and_control": "None", "exfiltration": "Attackers can upload data to uplooder and share the link to themselves to download the exfiltrated data.", "download": "Attackers can keep their tools stored on uplooder and when required, use the direct download link to fetch the tools.", "sample_url": "https://urlhaus.abuse.ch/host/www.uplooder.net/", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "Andre Gironda - @AndreGironda", "detail_path": "/site/7777772e75706c6f6f6465722e6e6574", "detail_slug": "7777772e75706c6f6f6465722e6e6574", "detail_url": "https://lots-project.com/site/7777772e75706c6f6f6465722e6e6574", "scraped_at": "2026-06-16T11:58:32Z" }, { "website": "graph.microsoft.com", "tags": [ "C&C", "Exfiltration" ], "service_provider": "Microsoft", "phishing": "None", "command_and_control": "Attackers can use the Microsoft Graph API for C&C communications. AzureOutlookC2 is an open-source tool that utilizes Microsoft Graph API for C&C.", "exfiltration": "None", "download": "Attackers can use the Microsoft Graph API for data exfiltration. AzureOutlookC2 is an open-source tool that utilizes Microsoft Graph API for exfiltration.", "sample_url": "https://github.com/boku7/azureOutlookC2", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "Mehmet Ergene - @Cyb3rMonk", "detail_path": "/site/67726170682e6d6963726f736f66742e636f6d", "detail_slug": "67726170682e6d6963726f736f66742e636f6d", "detail_url": "https://lots-project.com/site/67726170682e6d6963726f736f66742e636f6d", "scraped_at": "2026-06-16T11:58:33Z" }, { "website": "pastie.org", "tags": [ "Exfiltration", "C&C", "Download" ], "service_provider": "Pastie.org", "phishing": "None", "command_and_control": "pastie.org can be used for C&C purposes. The attacker will place commands on a pastie and have the malware fetch the commands.", "exfiltration": "Attackers will paste sensitive data onto pastie.org and share the link with themselves for later access.", "download": "Attackers upload the source code of tools onto pastie.org and download them when necessary.", "sample_url": "https://www.hybrid-analysis.com/sample/2806f558804668d79bd505792a9c050d449d62e31099858a05a35f1fecd6adc3/62181d720bf6ae0e1139ff4c", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "@pr0xylife", "detail_path": "/site/7061737469652e6f7267", "detail_slug": "7061737469652e6f7267", "detail_url": "https://lots-project.com/site/7061737469652e6f7267", "scraped_at": "2026-06-16T11:58:33Z" }, { "website": "*.slab.com", "tags": [ "Phishing" ], "service_provider": "Slab", "phishing": "Attackers can use a customized subdomain of slab.com to host their phishing websites.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/593177/0/html", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "@cy-fir", "detail_path": "/site/2a2e736c61622e636f6d", "detail_slug": "2a2e736c61622e636f6d", "detail_url": "https://lots-project.com/site/2a2e736c61622e636f6d", "scraped_at": "2026-06-16T11:58:34Z" }, { "website": "*.dropmark.com", "tags": [ "Phishing" ], "service_provider": "Dropmark", "phishing": "Attackers can use a customized subdomain of dropmark.com to host their phishing websites.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://otx.alienvault.com/indicator/url/https:%2F%2Fsharepoint9013476556t435665.dropmark.com%2F1174307%2F29526270", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "Jean-Marc ALBERT - @WikiJM", "detail_path": "/site/2a2e64726f706d61726b2e636f6d", "detail_slug": "2a2e64726f706d61726b2e636f6d", "detail_url": "https://lots-project.com/site/2a2e64726f706d61726b2e636f6d", "scraped_at": "2026-06-16T11:58:34Z" }, { "website": "filecloudonline.com", "tags": [ "Phishing", "Download" ], "service_provider": "FileCloud", "phishing": "Attackers can use a customized subdomain of filecloudonline.com to share malicious files with target users.", "command_and_control": "None", "exfiltration": "None", "download": "Attackers can keep their tools stored on filecloudonline.com and when required, use the custom link to download. Requires GUI access.", "sample_url": "https://twitter.com/Stalkphish_io/status/1505808324289306625", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "Andre Gironda - @AndreGironda", "detail_path": "/site/66696c65636c6f75646f6e6c696e652e636f6d", "detail_slug": "66696c65636c6f75646f6e6c696e652e636f6d", "detail_url": "https://lots-project.com/site/66696c65636c6f75646f6e6c696e652e636f6d", "scraped_at": "2026-06-16T11:58:34Z" }, { "website": "tinyurl.com", "tags": [ "Phishing", "Download" ], "service_provider": "TinyURL", "phishing": "Attackers can use the URL shortener, tinyurl.com, to masquerade their domain name and send the shortened link to their targets.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on an attacker's domain and then have the URL shortened. When the tools are needed, the shortened URL is used to download the tools.", "sample_url": "https://www.joesandbox.com/analysis/590506/0/html", "created": "2022-03-27", "last_update": "2022-03-27", "credits": "@_sec_101", "detail_path": "/site/74696e7975726c2e636f6d", "detail_slug": "74696e7975726c2e636f6d", "detail_url": "https://lots-project.com/site/74696e7975726c2e636f6d", "scraped_at": "2026-06-16T11:58:35Z" }, { "website": "*.azurestaticapps.net", "tags": [ "Phishing", "C&C", "Download" ], "service_provider": "Microsoft", "phishing": "Attackers can use a customized subdomain of azurestaticapps.net to host static phishing content.", "command_and_control": "Attackers can use a customized subdomain of azurestaticapps.net as their C&C server.", "exfiltration": "None", "download": "Attackers can host malicious files on a customized domain of azurestaticapps.net and when needed, the files can be downloaded.", "sample_url": "https://twitter.com/malwrhunterteam/status/1509077318492381184", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "security101 - @_sec_101, US Signal @ussignalcom", "detail_path": "/site/2a2e617a757265737461746963617070732e6e6574", "detail_slug": "2a2e617a757265737461746963617070732e6e6574", "detail_url": "https://lots-project.com/site/2a2e617a757265737461746963617070732e6e6574", "scraped_at": "2026-06-16T11:58:35Z" }, { "website": "termbin.com", "tags": [ "C&C", "Exfiltration", "Download" ], "service_provider": "Termbin", "phishing": "None", "command_and_control": "termbin.com can be used for C&C purposes. The attacker will place commands on a pastie and have the malware fetch the commands.", "exfiltration": "Attackers will paste sensitive data onto termbin.com and share the link with themselves for later access.", "download": "Attackers upload the source code of tools onto termbin.com and download them when necessary.", "sample_url": "https://blogs.vmware.com/emea-en/2022/05/serpent-the-backdoor-that-hides-in-plain-sight/", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "Jerry Shockley - @jsh0x", "detail_path": "/site/7465726d62696e2e636f6d", "detail_slug": "7465726d62696e2e636f6d", "detail_url": "https://lots-project.com/site/7465726d62696e2e636f6d", "scraped_at": "2026-06-16T11:58:36Z" }, { "website": "sprunge.us", "tags": [ "C&C", "Exfiltration", "Download" ], "service_provider": "Sprunge", "phishing": "None", "command_and_control": "sprunge.us can be used for C&C purposes. The attacker will place commands on a pastie and have the malware fetch the commands.", "exfiltration": "Attackers will paste sensitive data onto sprunge.us and share the link with themselves for later access.", "download": "Attackers upload the source code of tools onto sprunge.us and download them when necessary.", "sample_url": "https://any.run/report/b9ba6d8edc0f169d48e94d05703af5886b0f5759660b3f8c093d89c5977bd66d/051bd4e3-4220-4b14-9eed-17c0cc2c01b1", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "Jerry Shockley - @jsh0x", "detail_path": "/site/737072756e67652e7573", "detail_slug": "737072756e67652e7573", "detail_url": "https://lots-project.com/site/737072756e67652e7573", "scraped_at": "2026-06-16T11:58:36Z" }, { "website": "*.plesk.page", "tags": [ "Phishing", "C&C", "Exfiltration", "Download" ], "service_provider": "Plesk", "phishing": "Attackers can use a customized subdomain of plesk.page to host their phishing websites.", "command_and_control": "Attackers can use a customized subdomain of plesk.page as their C&C server.", "exfiltration": "Attackers can add upload functionalities hosted on *.mybluehost.me and exfiltrate data on there.", "download": "Malicious tools can be stored on *.plesk.page and downloaded when required.", "sample_url": "https://www.joesandbox.com/analysis/600205/0/html", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "Jonathan Lind", "detail_path": "/site/2a2e706c65736b2e70616765", "detail_slug": "2a2e706c65736b2e70616765", "detail_url": "https://lots-project.com/site/2a2e706c65736b2e70616765", "scraped_at": "2026-06-16T11:58:36Z" }, { "website": "cutt.ly", "tags": [ "Phishing", "Download" ], "service_provider": "Cutt.ly", "phishing": "Attackers can use the URL shortener, tinyurl.com, to masquerade their domain name and send the shortened link to their targets.", "command_and_control": "None", "exfiltration": "None", "download": "Malicious tools can be stored on an attacker's domain and then have the URL shortened. When the tools are needed, the shortened URL is used to download the tools.", "sample_url": "https://www.joesandbox.com/analysis/649565/0/html", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "security101 - @_sec_101, @lebleufirewall", "detail_path": "/site/637574742e6c79", "detail_slug": "637574742e6c79", "detail_url": "https://lots-project.com/site/637574742e6c79", "scraped_at": "2026-06-16T11:58:37Z" }, { "website": "*.on.aws", "tags": [ "C&C" ], "service_provider": "Amazon", "phishing": "None", "command_and_control": "Attackers can use a customized subdomain of on.aws as their C&C server.", "exfiltration": "None", "download": "None", "sample_url": "", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "Scott Taylor - @scottctaylor12", "detail_path": "/site/2a2e6f6e2e617773", "detail_slug": "2a2e6f6e2e617773", "detail_url": "https://lots-project.com/site/2a2e6f6e2e617773", "scraped_at": "2026-06-16T11:58:37Z" }, { "website": "*.mystrikingly.com", "tags": [ "Phishing", "C&C" ], "service_provider": "Strikingly", "phishing": "Attackers can use a customized subdomain of mystrikingly.com to host their phishing landing page.", "command_and_control": "Attackers can use a customized subdomain of mystrikingly.com as their C&C server.", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/650285/0/html", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "US Signal - @ussignalcom", "detail_path": "/site/2a2e6d79737472696b696e676c792e636f6d", "detail_slug": "2a2e6d79737472696b696e676c792e636f6d", "detail_url": "https://lots-project.com/site/2a2e6d79737472696b696e676c792e636f6d", "scraped_at": "2026-06-16T11:58:37Z" }, { "website": "www.surveycake.com", "tags": [ "Phishing" ], "service_provider": "SurveyCake", "phishing": "Attackers can use www.surveycake.com to host their phishing landing page.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://urlscan.io/result/3c2fbbac-1533-4bf9-9f1a-d9131c82e2d7/", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "@smarr311", "detail_path": "/site/7777772e73757276657963616b652e636f6d", "detail_slug": "7777772e73757276657963616b652e636f6d", "detail_url": "https://lots-project.com/site/7777772e73757276657963616b652e636f6d", "scraped_at": "2026-06-16T11:58:38Z" }, { "website": "anonfiles.com", "tags": [ "Phishing", "Exfiltration", "Download" ], "service_provider": "Anonfiles", "phishing": "Malicious files can be uploaded on anonfiles.com and then have the direct link shared with targets in phishing attacks.", "command_and_control": "None", "exfiltration": "Attackers can upload data to anonfiles.com and share the link to themselves to download the exfiltrated data.", "download": "Attackers can keep their tools stored on anonfiles.com and when required, use the direct download link to fetch the tools.", "sample_url": "https://www.joesandbox.com/analysis/670016/0/html", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "security101 - @_sec_101", "detail_path": "/site/616e6f6e66696c65732e636f6d", "detail_slug": "616e6f6e66696c65732e636f6d", "detail_url": "https://lots-project.com/site/616e6f6e66696c65732e636f6d", "scraped_at": "2026-06-16T11:58:38Z" }, { "website": "*.linodeobjects.com", "tags": [ "Phishing", "Exfiltration", "Download" ], "service_provider": "Linode", "phishing": "Attackers can use a customized subdomain of linodeobjects.com to host their phishing landing page.", "command_and_control": "None", "exfiltration": "Attackers can exfiltrate files to their Linode Objects storage", "download": "Attackers can keep their tools stored on Linode Objects storage and when required, download the tools.", "sample_url": "https://www.joesandbox.com/analysis/352148/0/html", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "@InfoSPECtre", "detail_path": "/site/2a2e6c696e6f64656f626a656374732e636f6d", "detail_slug": "2a2e6c696e6f64656f626a656374732e636f6d", "detail_url": "https://lots-project.com/site/2a2e6c696e6f64656f626a656374732e636f6d", "scraped_at": "2026-06-16T11:58:39Z" }, { "website": "express.adobe.com", "tags": [ "Phishing" ], "service_provider": "Adobe", "phishing": "Attackers can use express.adobe.com to host their static phishing page.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/659622/0/html", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "Justin W", "detail_path": "/site/657870726573732e61646f62652e636f6d", "detail_slug": "657870726573732e61646f62652e636f6d", "detail_url": "https://lots-project.com/site/657870726573732e61646f62652e636f6d", "scraped_at": "2026-06-16T11:58:39Z" }, { "website": "*.fleek.co", "tags": [ "Phishing" ], "service_provider": "Fleek", "phishing": "Attackers can use a customized subdomain of fleek.co to host their phishing landing page.", "command_and_control": "None", "exfiltration": "None", "download": "None", "sample_url": "https://www.joesandbox.com/analysis/664407/0/html", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "US Signal @ussignalcom", "detail_path": "/site/2a2e666c65656b2e636f", "detail_slug": "2a2e666c65656b2e636f", "detail_url": "https://lots-project.com/site/2a2e666c65656b2e636f", "scraped_at": "2026-06-16T11:58:39Z" }, { "website": "localhost.run", "tags": [ "C&C" ], "service_provider": "Localhost.run", "phishing": "None", "command_and_control": "Attackers can use localhost.run to communicate with their C2 servers.", "exfiltration": "None", "download": "None", "sample_url": "https://f.hubspotusercontent40.net/hubfs/1665891/Cloud%20Native%20Security%20Threat%20Report%2009-2020/Aqua_Security_Cloud_Native_Security_Threat_Report_2020.pdf", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "@m_haggis", "detail_path": "/site/6c6f63616c686f73742e72756e", "detail_slug": "6c6f63616c686f73742e72756e", "detail_url": "https://lots-project.com/site/6c6f63616c686f73742e72756e", "scraped_at": "2026-06-16T11:58:40Z" }, { "website": "*.requestbin.net", "tags": [ "C&C" ], "service_provider": "RequestBin", "phishing": "None", "command_and_control": "Attackers can use a customized subdomain of requestbin.net to send commands.", "exfiltration": "None", "download": "None", "sample_url": "https://github.com/SigmaHQ/sigma/pull/3103/files", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "@m_haggis", "detail_path": "/site/2a2e7265717565737462696e2e6e6574", "detail_slug": "2a2e7265717565737462696e2e6e6574", "detail_url": "https://lots-project.com/site/2a2e7265717565737462696e2e6e6574", "scraped_at": "2026-06-16T11:58:40Z" }, { "website": "clbin.com", "tags": [ "C&C", "Exfiltration", "Download" ], "service_provider": "Clbin", "phishing": "None", "command_and_control": "clbin.com be used for C&C purposes. The attacker will place commands on a textbin paste and have the malware fetch the commands.", "exfiltration": "Attackers will paste sensitive data onto clbin.com and share the link with themselves for later access.", "download": "Attackers upload the source code of tools onto clbin.com and download them when requried.", "sample_url": "", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "Jerry Shockley - @jsh0x", "detail_path": "/site/636c62696e2e636f6d", "detail_slug": "636c62696e2e636f6d", "detail_url": "https://lots-project.com/site/636c62696e2e636f6d", "scraped_at": "2026-06-16T11:58:40Z" }, { "website": "ix.io", "tags": [ "C&C", "Exfiltration", "Download" ], "service_provider": "Ix.io", "phishing": "None", "command_and_control": "ix.io be used for C&C purposes. The attacker will place commands on a textbin paste and have the malware fetch the commands.", "exfiltration": "Attackers will paste sensitive data onto ix.io and share the link with themselves for later access.", "download": "Attackers upload the source code of tools onto ix.io and download them when required.", "sample_url": "", "created": "2022-07-28", "last_update": "2022-07-28", "credits": "@m_haggis", "detail_path": "/site/69782e696f", "detail_slug": "69782e696f", "detail_url": "https://lots-project.com/site/69782e696f", "scraped_at": "2026-06-16T11:58:41Z" } ] }