├── README.md ├── atomic_cloud_iocs.csv └── reports ├── 0ktapus_dom_templates.md └── 0ktapus_phishing.csv /README.md: -------------------------------------------------------------------------------- 1 | # Wiz Research Public IOC Database 2 | 3 | This repo contains public indicators of compromise aggregated by Wiz Research. 4 | -------------------------------------------------------------------------------- /atomic_cloud_iocs.csv: -------------------------------------------------------------------------------- 1 | Value,Type,Reference 2 | system,IAM user name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 3 | ses_xcatze,IAM user name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 4 | AdminsDDefault,IAM group name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 5 | Kontolz,IAM user name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 6 | ses_fucked,IAM user name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 7 | ses_xxx,IAM user name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 8 | jSDSsajsnhjjjjjjwyyw,IAM user name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 9 | arn:aws:iam::320406895696:user/Kontolz,ARN,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 10 | 320406895696,AWS account ID,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 11 | pubg,IAM user name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 12 | snoopdog,IAM user name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 13 | iDevXploit,IAM user name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 14 | Xproady,IAM user name,https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ 15 | contact-shinycorp-tutanota-com-#,S3 bucket name,https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/ 16 | iDevXploit,IAM user name,https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/ 17 | MCDonald2021D#1337,IAM user password,https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/ 18 | DangerDev@protonmail.me,IAM user name,https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me 19 | ses,IAM user name,https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me 20 | 265857590823,AWS account ID,https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me 21 | 671050157472,AWS account ID,https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me 22 | rajajh,IAM user name,https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me 23 | cevlupdia,IAM user name,https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me 24 | nohuppo/pause ,Container image name,https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection 25 | dockerproxys/pause ,Container image name,https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection 26 | dockerproxys/pauser ,Container image name,https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection 27 | dockerproxys/pausem ,Container image name,https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection 28 | pausehubs/pause ,Container image name,https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection 29 | NYryXAGi7niFPk5FaxmqcY8hpTHmnFA9eT.TT ,Crypto wallet,https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection 30 | dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y ,Crypto wallet,https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection 31 | dero1qyhauw0rvt5sr0nvsg97n9wq0hg4s0hrj7xs09yw97tctfdqevxgzqgf40nxc ,Crypto wallet,https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection 32 | pauseyyf/pause,Container image name,https://www.crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes/ 33 | deroi1qyr8wnk9aw9lel0xcufdj98cqtd3lc5y84nhl679nm3wknaz0ad6xq9pvfz92xnjm0ypwc9rt0v,Crypto wallet,https://www.crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes/ 34 | shanidmk/jltest2,Container image name,https://www.aquasec.com/blog/threat-alert-anatomy-of-silentbobs-cloud-attack/ 35 | shanidmk/jltest,Container image name,https://www.aquasec.com/blog/threat-alert-anatomy-of-silentbobs-cloud-attack/ 36 | shanidmk/sysapp,Container image name,https://www.aquasec.com/blog/threat-alert-anatomy-of-silentbobs-cloud-attack/ 37 | shanidmk/blob,Container image name,https://www.aquasec.com/blog/threat-alert-anatomy-of-silentbobs-cloud-attack/ 38 | alpineos,DockerHub account name,https://www.trendmicro.com/en_za/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html 39 | sandeep078,DockerHub account name,https://www.trendmicro.com/en_za/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html 40 | adminz,IAM user name,https://www.invictus-ir.com/news/ransomware-in-the-cloud 41 | deploy,IAM user name,https://www.invictus-ir.com/news/ransomware-in-the-cloud 42 | s3mize,IAM user name,https://www.invictus-ir.com/news/ransomware-in-the-cloud 43 | administrateurs,IAM user name,https://x.com/tekdefense/status/1746918301555396823 44 | ses_legion,IAM user name,https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ 45 | Owner:ms.boharas,IAM user tag key:value pair,https://www.cadosecurity.com/blog/legion-an-aws-credential-harvester-and-smtp-hijacker 46 | jSDSgnditikunggobloktolol,IAM user name,https://www.sentinelone.com/labs/predator-ai-chatgpt-powered-infostealer-takes-aim-at-cloud-platforms/ 47 | admainkontolpaslodsajijsd21334#1ejeg2shehhe,IAM user password,https://www.sentinelone.com/labs/predator-ai-chatgpt-powered-infostealer-takes-aim-at-cloud-platforms/ 48 | nmlmweb3,DockerHub account name,https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/ 49 | 4AYe7ZbZEAMezv8jVqnagtWz24nA8dkcPaqHa8p8MLpqZvcWJSk7umPNhDuoXM2KRXfoCB7N2w2ZTLmTPj5GgoTvBipk1s9,XMRig user string,https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/ 50 | robbertignacio328832/oracleiv_latest,Container image name,https://www.cadosecurity.com/blog/oracleiv-a-dockerised-ddos-botnet 51 | metal3d/xmrig,Container image name,https://github.com/silascutler/dockerhoneypot-logs 52 | docker72590/apache,Container image name,https://github.com/silascutler/dockerhoneypot-logs 53 | fuhou/borg,Container image name,https://github.com/silascutler/dockerhoneypot-logs 54 | jocker0314/alpine,Container image name,https://github.com/silascutler/dockerhoneypot-logs 55 | kazutod/gaga,Container image name,https://github.com/silascutler/dockerhoneypot-logs 56 | kazutod/zep,Container image name,https://github.com/silascutler/dockerhoneypot-logs 57 | kirito666/blackt,Container image name,https://github.com/silascutler/dockerhoneypot-logs 58 | megawebmaster/dockgeddon,Container image name,https://github.com/silascutler/dockerhoneypot-logs 59 | peer2profit/peer2profit_linux,Container image name,https://github.com/silascutler/dockerhoneypot-logs 60 | pmietlicki/xmrig,Container image name,https://github.com/silascutler/dockerhoneypot-logs 61 | pmietlicki/xmrigcc,Container image name,https://github.com/silascutler/dockerhoneypot-logs 62 | xululol/unminerxmr,Container image name,https://github.com/silascutler/dockerhoneypot-logs 63 | alp1ne,DockerHub account name,https://github.com/silascutler/dockerhoneypot-logs 64 | DAFyut,Container name,https://github.com/silascutler/dockerhoneypot-logs 65 | lin_alpine,Container name,https://github.com/silascutler/dockerhoneypot-logs 66 | weavesc0pe,Container name,https://github.com/silascutler/dockerhoneypot-logs 67 | kube-edagent,Container name,https://www.trendmicro.com/en_us/research/24/j/attackers-target-exposed-docker-remote-api-servers-with-perfctl-.html 68 | mailer-sns-smtp,IAM user name,https://sysdig.com/blog/emeraldwhale/ 69 | mizaruveryhq,IAM user name,https://sysdig.com/blog/emeraldwhale/ 70 | s3-admin,IAM user name,https://sysdig.com/blog/emeraldwhale/ 71 | SupportAWS,IAM user name,https://sysdig.com/blog/emeraldwhale/ 72 | SupportAWS123,IAM user password,https://sysdig.com/blog/emeraldwhale/ 73 | @Myregular2910Evolutions@,IAM user password,https://sysdig.com/blog/emeraldwhale/ 74 | Smiles[.]com[.]br,CompanyWebsite in use case for model access,https://permiso.io/blog/exploiting-hosted-models 75 | supdev,IAM user name,https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor 76 | 713521355166,AWS account ID,https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor 77 | SupportAWS,IAM role name,https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor 78 | ^[A-Z][a-z]{5}[0-9]{3}$,IAM user name regex,Wiz Research 79 | New_Policy,IAM policy name,Wiz Research 80 | adminuserdevs,IAM user name,https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/ 81 | develops,IAM user name,https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/ 82 | Gh0st_808,IAM user name,https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/ 83 | Gh0st_365,IAM user name,https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/ 84 | rootdev,IAM user name,https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/ 85 | ses2,IAM user name,https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/ 86 | warkopi,IAM user name,https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/ 87 | Java_Ghost,Security group name,https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/ 88 | We Are There But Not Visible,Security group description,https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/ 89 | Administratorsz,Security group name,https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/#routine-attacker-tactics 90 | -------------------------------------------------------------------------------- /reports/0ktapus_dom_templates.md: -------------------------------------------------------------------------------- 1 | | DOM Template | Unique Characteristics | Domain Example | References | Activity Period | 2 | | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | 3 | | A | `bundles/modernizr` + `WebResource.axd, /Scripts/jquery-2.2.3.min.js` + Page title is: “CMS Dashboard Login” + error in height tag + dynamic placeholder attribute (for example - `Email or Username`, `Username`, `Username or Email`, `someone@bt[.]com`, `SSO ID` etc. See full list of observed values in the IOCs table. [(example query)](https://urlscan.io/search/#filename%3A%22%2Fbundles%2Fmodernizr%22%20AND%20filename%3A%22%2FWebResource.axd%22%20AND%20filename%3A%22%2FScripts%2Fjquery-2.2.3.min.js%22) | revolut-ticket[.]com | This is the most common template observed in recent months, with domains using it reported by [EclecticIQ](https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries) and [Cyber Resilience](https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/), among others. | May ‘23 - Today | 4 | | B | Hidden link to `hxxps://n[redacted].okta[.]com` \+ POST victim credentials to `f[redacted][.]php`, while redirecting victim to `factor.html` / 2FA + form information is submitted to `factor.php`  [(example query)](https://urlscan.io/search/#hash%3A4ae2d449cc534f746e351500a78ed83b2b4555cdf22a49e2e5ef48b10ec55bd6%20OR%20hash%3A524ebcfcf42b34231a20d42858b59063f55fc4ef8100bd6662b3f73c585eb5f0) | gemini-sso[.]com | This template has been extensively studied previously, and reported on by [TLP_R3D](https://x.com/TLP_R3D/status/1845069812919157114?t=9nGoI9rPMztU4_tkKhVBEA&s=19) | Nov ‘23 - Today | 5 | | C | image tag  with keyword `_nuxt` [(example query)](https://urlscan.io/search/#filename%3A%20%22_nuxt%2Fimg%2Fdefault.2dc2af8.png%22) | att-mfa[.]com | This template was first reported by [Group-IB](https://www.group-ib.com/blog/0ktapus/) | Jul ‘22 – Apr ‘24 | 6 | | D | `Poll.js` + `init.js` + `${credential}:${password}` [(example query)](https://urlscan.io/search/#hash%3Ac8ff5a54213c5ac0146b1ffe36974b07113f9f7060f951d5f80b93befa3b03f2) | stargate-okta[.]com | Domains using this DOM template were reported by [TLP_R3D](https://mobile.x.com/TLP_R3D/status/1836737521260109998) | Sep ‘24 – Today | 7 | | E | POST to `login/email` or `login/identifier` + `htmx.min.js` + `email` + `ttl` [(example query)](https://urlscan.io/search/#filename%3A%22htmx.min.js%22%20AND%20filename%3A%20%22ttl%22%20AND%20(filename%3A%20%22email%22%20OR%20filename%3A%20%22identifier%22)) | dashboard-mailgun[.]com | Wiz Research surfaced this template by examining domain registrations linked to common nameservers known to be used by 0ktapus. | Oct ‘24 | 8 | | F | Sha256 hash of DOM - `fb1d07ab6c54c7380a93a507b48bc5ba0aee77ca32b7d4c57c38f007857a6fd1` [(example query)](https://urlscan.io/search/#hash%3Afb1d07ab6c54c7380a93a507b48bc5ba0aee77ca32b7d4c57c38f007857a6fd1) | mgmresorts-okta[.]com | The domain using this template was reported by [Sekoia](https://blog.sekoia.io/scattered-spider-laying-new-eggs/#h-iocs-amp-technical-details). | Aug ‘22 | 9 | | G | Sha256 hash of DOM - `95a0eca17ee49bebb333bbb1c96ab54ed361c2f233b2adf8c4374814c633a53b` [(example query)](https://urlscan.io/search/#hash%3A95a0eca17ee49bebb333bbb1c96ab54ed361c2f233b2adf8c4374814c633a53b) | calendar-dd[.]com | Wiz Research surfaced a domain using this template by pivoting on hashes associated with several of 0ktapus’s other known phishing domains. | Sep ‘22 | 10 | | H | POST victim data to `../tmo/data/login.php` [(example query)](https://urlscan.io/search/#hash%3Aa28b40bc981d9168cf4c644909d391183225b3ce489eb5fd6b85bc162389e683) | t-mobile-okta[.]com | A domain using this template was reported by [SilentPush.](https://www.silentpush.com/blog/scattered-spider/) | Sep ‘23 | 11 | | I | Images and fonts encoded  with base64 [(example query)](https://urlscan.io/search/#hash%3A%2026c95a36c1fdae05b7dc9bee50dca1439e884d8c9c0f79d482cc827990d369f5) | intercom-okta[.]com | A domain using this template was reported by [TLP_R3D](https://mobile.x.com/TLP_R3D/status/1837083934900789424) | Nov ‘23 – Apr ‘24 | 12 | | J | `authorization.php` with SHA256 hash - `69b575025bd763e58fcb95035b9b6e358f43737d91e01ebdaa19934e0206a966` + POSTing victim response to `files/common.php` [(example query)](https://urlscan.io/search/#hash%3A69b575025bd763e58fcb95035b9b6e358f43737d91e01ebdaa19934e0206a966) | klav-workday[.]com | Wiz Research was able to surface this template by pivoting on an image replicated from a legitimate site and used by 0ktapus on a known phishing domain. | Mar’23 | 13 | | K | `index-CDmh8I23.js` + `index-aNURsHR-.css` [(example query)](https://urlscan.io/search/#filename%3ACDmh8I23.js%20AND%20filename%3Aindex-aNURsHR-.css) | grid-review[.]com | Wiz Research surfaced this template by pivoting on scripts used by 0ktapus on several known phishing domains. | Sep’24 | 14 | | L | Sha256 hash of DOM - `98ca25eef00efcafee4f9cb07908776d0ad976296a5e6eb07a724c31ae4bfc61` [(example query)](https://urlscan.io/search/#hash%3A98ca25eef00efcafee4f9cb07908776d0ad976296a5e6eb07a724c31ae4bfc61) | rejectauth-sendgrid[.]com | Wiz Research surfaced this template by pivoting on scripts used by 0ktapus on several known phishing domains. | Aug’24 - Today | 15 | -------------------------------------------------------------------------------- /reports/0ktapus_phishing.csv: -------------------------------------------------------------------------------- 1 | Indicator,Type,Description ,Confidence of 0ktapus Attribution,Previously Known,Activity Period 2 | forward-icloud[.]com ,Domain,Domain hosting phishing kit used by 0ktapus ,High ,Yes ,14.8.2024 3 | acwa-internal[.]com,Domain,"Hosted on same IP address (142.93.3[.]117) as apple-vpn[.]com, acwa-apple[.]com",Medium,Yes ,16.9.2024 4 | twitter-okta[.]com,Domain,Hosted on same IP address (80.78.22[.]244) as okta-ouryahoo[.]com,Medium,Yes ,6.10.2024 5 | activecampaign-hr[.]com,Domain,Phishing domain,Low,No,6.5.2024 6 | activecampainhr[.]com,Domain,Phishing domain,Low,No,15.5.2024 7 | block-hr[.]com,Domain,Phishing domain,High ,Yes ,18.5.2024 8 | block-sso[.]com,Domain,Phishing domain,High ,Yes ,9.11.2023 9 | cashsso[.]com,Domain,Phishing domain,High ,Yes ,9.11.2023 10 | hr-gnc[.]com,Domain,Phishing domain,High ,No,7.5.2024 11 | login.block-hr[.]com,Domain,Phishing domain,High ,Yes ,18.5.2024 12 | uscellular-sso[.]com ,Domain,Phishing domain ,High ,Yes ,6.5.2024 13 | sunrise-crypto[.]com,Domain,Phishing domain ,Medium,No,29.9.2024 14 | expediagroup-servicenow[.]com ,Domain,Phishing domain Expedia group,High ,Yes ,9.6.2024 15 | adasupport-okta[.]com,Domain,Phishing domain for Ada CX,Medium,No,15.4.2024 16 | alchemy-okta[.]com,Domain,Phishing domain for Alchemy,Medium,No,3.4.2024 17 | auth-alchemy[.]com,Domain,Phishing domain for Alchemy,Medium,No,3.4.2024 18 | login.ally-hr[.]com,Domain,Phishing domain for Ally,High ,Yes ,20.4.2024 19 | login.corporate-ally[.]com,Domain,Phishing domain for Ally,High ,Yes ,20.4.2024 20 | amica-hr[.]com,Domain,Phishing domain for Amica,Medium,Yes ,22.4.2024 21 | hanover-hr[.]com,Domain,Phishing domain for Amica,Medium,Yes ,22.4.2024 22 | sharing-folders[.]com,Domain,Phishing domain for Amica,Medium,Yes ,15.4.2024 23 | login.realogy-hr[.]com,Domain,Phishing domain for Anywhere Real Estate,High ,Yes ,5.5.2024 24 | acwa-apple[.]com,Domain,Phishing domain for Apple,Medium,No,16.9.2024 25 | apple-vpn[.]com,Domain,Phishing domain for Apple,Medium,No,16.9.2024 26 | sync-apple[.]com,Domain,Phishing domain for Apple,Medium,No,19.9.2024 27 | okta-blockdaemon[.]com,Domain,Phishing domain for Blockdaemon,Medium,No,5.3.2024 28 | authenticate-bt[.][com,Domain,Phishing domain for BT,High ,Yes ,10.6.2024 29 | www.authenticate-bt[.]com ,Domain,Phishing domain for BT,High ,Yes ,4.8.2024-5.8.2024 30 | cellularsaies[.]com,Domain,Phishing domain for Cellular Sales,High ,Yes ,31.3.2024 31 | okta. cellularsaies[.]com,Domain,Phishing domain for Cellular Sales,High ,Yes ,31.3.2024 32 | okta.cellularsaies[.]com,Domain,Phishing domain for Cellular Sales,High ,Yes ,31.3.2024 33 | clicksend-staging[.]com,Domain,Phishing domain for ClickSend,Medium,Yes ,29.4.2024 34 | okta-cbhq[.]net,Domain,Phishing domain for CoinBase,High ,No,14.10.2024 35 | commonspiritcorp-okta[.]com,Domain,Phishing domain for Common Spirit,High ,No,14.10.2024 36 | condenast-hub-okta-emea[.]com,Domain,Phishing domain for Conde Nast,Medium,Yes ,29.9.2024 37 | consensys-okta[.]com,Domain,Phishing domain for Consensys,Medium,Yes ,17.9.2024 38 | corescientific-okta[.]com,Domain,Phishing domain for CoreScientific,Medium,No,29.3.2024 39 | settings-okta[.]com,Domain,Phishing domain for CoreScientific,Medium,No,6.12.2023 40 | docusignhq[.]net,Domain,Phishing domain for DocuSign,High ,No,14.10.2024 41 | docusign-okta[.]com,Domain,Phishing domain for DocuSign,High ,No,14.10.2024 42 | account.kemper-support[.]com,Domain,Phishing domain for DoorDash,High ,Yes ,19.5.2024 43 | calendar-dd[.]com ,Domain,Phishing domain for DoorDash,Medium,No,26.9.2022 44 | login.doordash-support[.]com ,Domain,Phishing domain for DoorDash,Medium,Yes ,19.5.2024 45 | okta-verify[.]com ,Domain,Phishing domain for DoorDash,Low,No,2.9.2020 46 | www[.]dashsso[.]com ,Domain,Phishing domain for DoorDash,Medium,No,17.11.2023 47 | epic-servicedesk[.]com ,Domain,Phishing domain for Epic,High ,Yes ,20.5.2023 48 | sso-falconx[.]com,Domain,Phishing domain for FalconX,Medium,No,6.12.2023 49 | fico-servicenow[.]com ,Domain,Phishing domain for FICO,High ,Yes ,9.6.2024 50 | five9-hr[.]com,Domain,Phishing domain for Five9,High ,Yes ,20.5.2024 51 | login.five9-hr[.]com,Domain,Phishing domain for Five9,High ,Yes ,20.5.2024 52 | corp-foundever[.]com,Domain,Phishing domain for foundever,High ,Yes ,24.3.2024 53 | corp-foundever[.]net,Domain,Phishing domain for foundever,High ,Yes ,25.3.2024 54 | foundever-sso[.]com,Domain,Phishing domain for foundever,High ,Yes ,24.3.2024 55 | galaxy-okta[.]com,Domain,Phishing domain for Galaxy,Medium,No,5.12.2023 56 | okta-gamestop[.]com,Domain,Phishing domain for GameStop,High ,No,3.10.2024 57 | gemini-sso[.]com,Domain,Phishing domain for Gemini,High ,Yes ,6.5.2024 58 | prntsrc[.]net,Domain,Phishing domain for Gemini,Medium,Yes ,16.5.2024 59 | stargate-sso[.]com,Domain,Phishing domain for Gemini,High ,Yes ,6.5.2024 60 | stargatesso-gemini[.]com,Domain,Phishing domain for Gemini,Medium,Yes ,12.10.2024 61 | binance-us-okta[.]com,Domain,"Phishing domain for Gemini, refers to https://stargate.okta.com/help/login",High ,Yes ,20.9.2024 62 | gofundme-okta[.]com,Domain,Phishing domain for GoFundMe,Medium,No,11.3.2024 63 | grayscale-okta[.]com,Domain,Phishing domain for GreyScale,Medium,No,5.12.2023 64 | grubhubsso[.]com ,Domain,Phishing domain for GrubHub,High ,Yes ,22.1.2024 65 | grubhub-support[.]com,Domain,Phishing domain for GrubHub,High ,Yes ,19.5.2024 66 | login.grubhub-support[.]com,Domain,Phishing domain for GrubHub,High ,Yes ,19.5.2024 67 | corporate-huntington[.]com,Domain,Phishing domain for Huntington,High ,Yes ,20.4.2024 68 | sso.ibexgiobal[.]com,Domain,Phishing domain for ibexgiobal,High ,Yes ,22.4.2024 69 | intercom-hr[.]com,Domain,Phishing domain for Intercom,Medium,Yes ,15.5.2024 70 | intercom-okta[.]com,Domain,Phishing domain for Intercom,Medium,No,5.3.2024 71 | intercomsso[.]net,Domain,Phishing domain for Intercom,High ,Yes ,14.11.2023 72 | login.hr-intercom[.]com,Domain,Phishing domain for Intercom,High ,No,16.5.2024 73 | okta-intercom[.]com,Domain,Phishing domain for Intercom,High ,No,18.4.2023 74 | itbit-okta[.]com,Domain,Phishing domain for Itbit,Medium,Yes ,5.12.2023 75 | jacksonhewitt-service[.]com ,Domain,Phishing domain for Jackson Hewitt,High ,Yes ,20.5.2024 76 | account.klaviyo-hr[.]com,Domain,Phishing domain for Klaviyo,High ,Yes ,16.5.2024 77 | klaviyocorp[.]net,Domain,Phishing domain for Klaviyo,High ,Yes ,16.11.2023 78 | klaviyo-hr[.]com,Domain,Phishing domain for Klaviyo,High ,Yes ,16.5.2024 79 | klaviyo-vpn[.]com,Domain,Phishing domain for Klaviyo,Low,No,30.3.2023 80 | klav-workday[.]com,Domain,Phishing domain for Klaviyo,Low,No,31.3.2023 81 | login.klaviyo-hr[.]com,Domain,Phishing domain for Klaviyo,High ,Yes ,16.5.2024 82 | sso-klaviyo[.]com,Domain,Phishing domain for Klaviyo,Low,No,25.3.2023 83 | louisvuitton-okta[.]com,Domain,Phishing domain for louis Vuitton (similar to older phishing domain - louisvuitton.okta-lv[.]com),Medium,No,6.10.2024 84 | luno-okta[.]com,Domain,Phishing domain for Luno,Medium,No,29.3.2024 85 | dashboard-mailgun[.]com,Domain,Phishing domain for Maligun,Medium,No,14.10.2024 86 | review-mailgun[.]com,Domain,Phishing domain for Maligun,Medium,No,3.10.2024 87 | verify-mailgun[.]com,Domain,Phishing domain for Maligun,Medium,No,9.10.2024 88 | okta-campaignmonitor[.]com ,Domain,Phishing domain for MariGold,Medium,No,28.2.2024 89 | markel-hr[.]com,Domain,Phishing domain for Markel,Medium,No,23.4.2024 90 | mgmresorts-okta[.]com ,Domain,Phishing domain for MGM Resorts,High ,Yes ,4.8.2022 91 | newyorklifehr[.]com,Domain,Phishing domain for New York Life Insurance Company,Medium,Yes ,24.4.2024 92 | login.nfp-hr[.]com,Domain,Phishing domain for NFP,High ,Yes ,24.4.2024 93 | nfp-hr[.]com,Domain,Phishing domain for NFP,High ,Yes ,24.4.2024 94 | nike-support[.]com,Domain,Phishing domain for Nike,Medium,Yes ,14.6.2022 95 | okta-nydig[.]com,Domain,Phishing domain for NYDIG,Medium,No,29.3.2024 96 | okta-onsolve[.]com,Domain,Phishing domain for OnSolve,Medium,No,6.2.2024 97 | onsolve-okta[.]com,Domain,Phishing domain for OnSolve,Medium,No,6.2.2024 98 | paxos-okta[.]com,Domain,Phishing domain for Paxos,Medium,No,5.3.2024 99 | login.corporate-pnc[.]com,Domain,Phishing domain for PNC,High ,Yes ,20.4.2024 100 | cinfin-hr[.]com,Domain,Phishing domain for Podium,Medium,Yes ,22.4.2024 101 | mercury-hr[.]com,Domain,Phishing domain for Podium,Medium,Yes ,22.4.2024 102 | mutualofomaha-hr[.]com,Domain,Phishing domain for Podium,Medium,Yes ,22.4.2024 103 | podium-hr[.]com,Domain,Phishing domain for Podium,Medium,Yes ,22.4.2024 104 | revolut-ticket[.]com ,Domain,Phishing domain for revolut,High ,Yes ,4.8.2024-5.8.2024 105 | okta-ripple[.]com,Domain,Phishing domain for Ripple,Medium,No,18.4.2024 106 | ripple-okta[.]com,Domain,Phishing domain for Ripple,Medium,No,18.4.2024 107 | login.rbx-hr[.]com,Domain,Phishing domain for Roblox,High ,Yes ,18.5.2024 108 | rbx.okta[.]bio,Domain,Phishing domain for Roblox,Low,No,7.12.2024 109 | rbx-corp[.]com,Domain,Phishing domain for Roblox,High ,Yes ,31.10.2023 110 | rbx-hr[.]com,Domain,Phishing domain for Roblox,High ,Yes ,18.5.2024 111 | rbxhr[.]net,Domain,Phishing domain for Roblox,High ,Yes ,27.1.2024 112 | rbx-servicedesk[.]com,Domain,Phishing domain for Roblox,High ,Yes ,14.5.2023 113 | roblox-hrs[.]com,Domain,Phishing domain for Roblox,High ,Yes ,27.1.2024 114 | account.securian-hr[.]com,Domain,Phishing domain for Securian,High ,Yes ,16.5.2024 115 | login.securian-hr[.]com,Domain,Phishing domain for Securian,High ,Yes ,16.5.2024 116 | securian-hr[.]com,Domain,Phishing domain for Securian,High ,Yes ,16.5.2024 117 | contact-sendgrid[.]com,Domain,Phishing domain for SendGrid,Medium,No,18.9.2024 118 | manageactivity-sendgrid[.]com,Domain,Phishing domain for SendGrid,Medium,No,13.9.2024 119 | sendgrid-account[.]com,Domain,Phishing domain for SendGrid,Medium,No,8.9.2024 120 | sessions-sendgrid[.]com,Domain,Phishing domain for SendGrid,Medium,No,2.9.2024 121 | grid-review[.]com,Domain,Phishing domain for SendGrid,Medium,No,10.9.2024 122 | account-sendgrid[.]com,Domain,Phishing domain for SendGrid,Medium,No,9.9.2024 123 | sendgrid-overview[.]com,Domain,Phishing domain for SendGrid,Medium,No,9.9.2024 124 | twillio-sendgrid[.]com,Domain,Phishing domain for SendGrid,Medium,No,20.9.2024 125 | rejectauth-sendgrid[.]com,Domain,Phishing domain for SendGrid,Medium,No,22.8.2024 126 | servicenowprod[.]com,Domain,Phishing domain for ServiceNow,High ,No,12.10.2024 127 | resolveservicedesk[.]com,Domain,Phishing domain for ServiceNow,High ,No,10.10.2024 128 | snapchat-okta[.]com,Domain,Phishing domain for Snap,High ,No,14.10.2024 129 | squarespacehr[.]com,Domain,Phishing domain for SquareSpace,Medium,Yes ,29.5.2024 130 | squarespace-okta[.]com,Domain,Phishing domain for SquareSpace,Medium,Yes ,18.11.2023 131 | squarespace-hr[.]com,Domain,Phishing domain for Square-Space,Medium,Yes ,25.4.2024 132 | login.suniife[.]com,Domain,Phishing domain for Sun Life Financial,Medium,Yes ,20.4.2024 133 | login.synchronyfinanciai[.]com,Domain,Phishing domain for Synchrony,High ,No,26.4.2024 134 | ping.taskus-sso[.]com,Domain,Phishing domain for TaskUs,High ,Yes ,19.5.2024 135 | teleperformance-incident[.]com ,Domain,Phishing domain for Telepreformance,High ,Yes ,2.11.2023 136 | telesignhr[.]com,Domain,Phishing domain for TeleSign,Medium,Yes ,22.4.2024 137 | telint-helpdesk.com,Domain,Phishing domain for Telus,High ,Yes ,27.8.2023 138 | telint-helpdesk[.]com,Domain,Phishing domain for Telus,High ,Yes ,27.8.2023 139 | login.thrivent-hr[.]com,Domain,Phishing domain for Thrivent,High ,Yes ,25.4.2024 140 | thrivent-hr[.]com,Domain,Phishing domain for Thrivent,High ,Yes ,25.4.2024 141 | corp-cox[.]com,Domain,Phishing domain for T-mobile,High ,Yes ,15.4.2024 142 | t-mobile-okta[.]com ,Domain,Phishing domain for T-mobile,High ,Yes ,6.10.2023 143 | verify-tmobile[.]com,Domain,Phishing domain for T-mobile,Medium,No,27.8.2024 144 | storewatch-tmobile[.]com,Domain,Phishing domain for T-mobile,Medium,No,25.9.2024 145 | t-mobiie[.]net,Domain,"Phishing domain for T-mobile, on 28.9.2022 this domain hosted a phishing page for Symantec",High ,Yes ,"9.6.2022, 28.9.2022" 146 | ally-hr[.]com,Domain,Phishing domain for transamerica,High ,Yes ,21.4.2024 147 | corporate-ally[.]com,Domain,Phishing domain for transamerica,High ,Yes ,21.4.2024 148 | transamerica-hr[.]com,Domain,Phishing domain for transamerica,High ,Yes ,21.4.2024 149 | login.transamerica-hr[.]com,Domain,Phishing domain for Transamerica Life Companies,High ,Yes ,20.4.2024 150 | okta-twilio[.]com,Domain,Phishing domain for Twilio,Medium,No,18.4.2024 151 | typeform-okta[.]com,Domain,Phishing domain for TypeForm,Medium,No,28.3.2024 152 | ultahub[.]com,Domain,Phishing domain for Ultra Beauty,Medium,Yes ,20.9.2024 153 | ultainternal[.]com,Domain,Phishing domain for Ultra Beauty,Medium,Yes ,20.9.2024 154 | unchainedprod-okta[.]com,Domain,Phishing domain for Unchained,Medium,Yes ,23.9.2024 155 | login.unumhr[.]com,Domain,Phishing domain for UNUM,High ,Yes ,24.4.2024 156 | login.unum-hr[.]com,Domain,Phishing domain for UNUM,High ,Yes ,24.4.2024 157 | unumhr[.]com,Domain,Phishing domain for UNUM,High ,Yes ,24.4.2024 158 | login.uscc-hr[.]com,Domain,Phishing domain for UScellular,High ,Yes ,20.5.2024 159 | tickets.zapto[.]org ,Domain,Phishing domain for Uscellular,Low,No,12.8.2024 160 | uscc-hr[.]com ,Domain,Phishing domain for UScellular,High ,Yes ,5.6.2024 161 | connect-asurion[.]net,Domain,Phishing domain for Verizon,High ,Yes ,28.3.2024 162 | supporthub-iqor[.]com,Domain,Phishing domain for Verizon,High ,Yes ,28.3.2024 163 | vzapps-vzn[.]com,Domain,Phishing domain for Verizon,High ,Yes ,28.3.2024 164 | xapo-okta[.]com,Domain,Phishing domain for Xapo bank,Medium,No,5.3.2024 165 | ouryahoo[.]okta[.]com[.]shortid[.]support,Domain,Phishing domain for Yahoo,Medium,No,13.12.2023 166 | ziffdavis-okta[.]com,Domain,Phishing domain for Ziff-Davis,Medium,No,29.2.2024 167 | uscc-hr[.]com,Domain,Phishing domain  ,High ,Yes ,6.5.2024 168 | stargate-okta[.]com,Domain,Phishing domian for Gemini,Medium,Yes ,19.9.2024 169 | concentrix-servicedesk[.]com,Domain,Phishing for Concentrix,High ,Yes ,14.5.2023 170 | login[.]doordash-support[.]com ,Domain,Phishing for DoorDash,High ,Yes ,19.5.2024 171 | okta-verify[.]com,Domain,Phishing for DoorDash,Low,No,2.9.2020 172 | ibexgiobal[.]com,Domain,Phishing for iBex,High ,Yes ,22.4.2024 173 | mixpanel-okta[.]com,Domain,Phishing for Mipanel,Medium,No,6.3.2024 174 | robinhood-servicedesk[.]com,Domain,Phishing for Robinhod,High ,Yes ,13.5.2023 175 | zendesk-servicedesk[.]com,Domain,Phishing for Zendex,High ,Yes ,28.5.2023 176 | okta-ouryahoo[.]com,Domain,"Phishing page for Yahoo, similar to older phishing domains - ouryahoo-okta[.]org, ouryahoo-okta[.]net, ouryahoo-okta[.]com",Medium,No,8.10.2024 177 | gd-okta[.]com,Domain,Phishing to GoDaddy,High ,No,14.10.2024 178 | 142.93.3[.]117,IP Address,"Hosting apple-vpn[.]com, acwa-internal[.]com, acwa-apple[.]com",Medium,,16.9.2024-25.9.2024 179 | 80.78.25[.]254,IP Address,Hosting condenast-hub-okta-emea[.]com,Medium,,29.9.2024 180 | 80.78.24[.]166,IP Address,Hosting consensys-okta[.]com,Medium,,17.9.2024 181 | 80.78.28[.]234,IP Address,Hosting louisvuitton-okta[.]com,Medium,,5.10.2024-6.10.2024 182 | 179.43.187[.]101,IP Address,Hosting okta-intercom[.]com,High ,,18.4.2023 183 | 193.149.176[.]19,IP Address,Hosting phishing page,Low,,20.5.2024 184 | 68.183.20[.]231,IP Address,Hosting phishing page for Amica and hosting amica-hr[.]com and hanover-hr[.]com,Medium,,21.4.2024-29.4.2024 185 | 161.35.98[.]8,IP Address,Hosting phishing page for ClickSend and hosting clicksend-staging[.]com,Medium,,29.4.2024-6.5.2024 186 | 67.217.228[.]42,IP Address,Hosting phishing page for foundever and also hosting corp-foundever.[.]net,High ,,25.3.2024-7.4.2024 187 | 162.33.179[.]76,IP Address,"Hosting phishing page for Gemini also hosted - gemini-sso[.]com, stargate-sso[.]com, uscellular-sso[.]com",Medium,,6.5.2024-14.5.2024 188 | 67.205.185[.]135,IP Address,Hosting phishing page for NewYork Life New York Life Insurance Company and hosting newyorklifehr[.]com,Medium,,24.4.2024-30.4.2024 189 | 161.35.96[.]229,IP Address,"Hosting phishing page for Podium and hosting podium-hr[.]com, cinfin-hr[.]com, mercury-hr[.]com",Medium,,22.4.2024-30.4.2024 190 | 144.202.121[.]111,IP Address,Hosting phishing page for SquareSpace and hosting activecampaignhr[.]com,Medium,,25.4.2024 191 | 64.95.13[.]215,IP Address,Hosting resolveservicedesk[.]com,High ,,9.10.2024-10.10.2024 192 | 80.78.24[.]176,IP Address,Hosting stargate-okta[.]com and mcointernal-okta[.]com and binance-us-okta[.]com,Medium,,19.9.2024 193 | 138.68.47[.]14,IP Address,Hosting sync-apple[.]com,Medium,,17.9.2024-26.9.2024 194 | 80.78.22[.]244,IP Address,Hosting twitter-okta[.]com and okta-ouryahoo[.]com,Medium,,6.10.2024-9.10.2024 195 | 137.220.43[.]146,IP Address,Hosts pfchangs-support[.]com and securian-hr[.]com,High ,,16.5.2024-27.5.2024 196 | 45.77.122[.]253,IP Address,"Hosts phishing page for Roblox, also hosted teleperformance-incident[.]com and rbx-corp[.]com",High ,,31.10.2023-9.11.2023 197 | 216.245.184[.]53,IP Address,"Phishing page for Gemini, hosting stargatesso[.]com and prntsrc[.]net",Low,,16.5.2024-20.5.2024 198 | 69b575025bd763e58fcb95035b9b6e358f43737d91e01ebdaa19934e0206a966,Sha256,authorization.php on klav-workday[.]com,Low,No, 199 | 0acb0fc9762e4359f562794011d77317c78f7b68cec08b715d98ed16ba761fac,Sha256,DOM of apple-vpn[.]com,Medium,0/58 on VT, 200 | 6604762c149476ff2f833b336d5077d2ac349bccacdf70eb86af28105028fbe0,Sha256,DOM of sendgrid-account[.]com,Medium,Not on VT, 201 | 00cc2176062c84db97399bb8761803d15ad1edf4b23eccb74979bb79d2a483ab,Sha256,DOM with placeholder - Okta Username (Email),High ,Not on VT, 202 | a226437823c213da4b2f4cfdedc87bfa88204b17a0aebca1a33c3d6055178616,Sha256,DOMs with the placeholder - example@domain.com,High ,Not on VT, 203 | a23a15cf02ff5bfdf1b51335af4b91ca96c436781b9791280ab8c470643d07d7,Sha256,DOMs with the placeholder - Domain\Username,High ,Not on VT, 204 | c1e6d17cdae38320041149688fdab35409c2d466319873f33390b801b130dae4,Sha256,DOMs with the placeholder - Email ,High ,Not on VT, 205 | f8b7bb31e7e8c574d74e52eba7dcf3de48c7f5fa6d39d64685d39355d688defb ,Sha256,DOMs with the placeholder - Email or Username ,High ,0/63 on VT, 206 | a226437823c213da4b2f4cfdedc87bfa88204b17a0aebca1a33c3d6055178616,Sha256,DOMs with the placeholder - example@domain.com,High ,Not on VT, 207 | 807865ab553996e521995c6624a41e026ef06f5370e1cad6a9647a68f7474798,Sha256,DOMs with the placeholder - F5 Username ,High ,Not on VT, 208 | 0cea1ff596fe9a73f77bcd99ec9c77b69c27408a1b1c1c756300ef3db4c3c41f ,Sha256,DOMs with the placeholder - Five9 Domain Login (Ex. JDoe) ,High ,2/63 on VT, 209 | 9fea58b71ce27a360735a0ebe4badb2f0e1d17ed1b4baa229a568aec987c802c,Sha256,DOMs with the placeholder - Lan ID,High ,0/63 on VT, 210 | 436831126b5851ba76cd7bedc687ef08538fc639f7cc5e8665488aecfaeaf735 ,Sha256,DOMs with the placeholder - someone@bt.com,High ,Not on VT, 211 | ab9f02f9eae92f52c983e18dafa2142203afe96a4f4a2390e061812989186e77 ,Sha256,DOMs with the placeholder - SSO ID ,High ,Not on VT, 212 | 695bd0671a2d91d7087abb3c314f59cca2b52f05411aca478e208c4648616486,Sha256,DOMs with the placeholder - Username ,High ,2/63 on VT, 213 | 5dd491b89daadabfe8419d5d1e436a6dd9b4eea25fc4ba5898e6a1bca34f06e9 ,Sha256,DOMs with the placeholder - Username ,High ,0/65 on VT, 214 | 46e7cf1fb46a73f098fa6f0f46732bdd298af690ec1452fac9b97884ca8b5a39 ,Sha256,DOMs with the placeholder - Username or Email,High ,0/65 on VT, 215 | 1f28bdadbf55e8c7023c4ac754eb963b776847e2d1826d8cf396b01807185f70,Sha256,DOMs with the placeholder - Work email,High ,Not on VT, 216 | 7d7ab8c1e2e469539e0d85d2b2166238c71bfd40ae7a373babf3744fc89a0ef8,Sha256,"HTML page of binance-us-okta[.]com, stargate-okta[.]com, louisvuitton-okta[.]com and more contains https://stargate.okta[.]com/help/login and https://stargate.okta[.]com/privacy",High ,0/63 on VT, 217 | 4ae2d449cc534f746e351500a78ed83b2b4555cdf22a49e2e5ef48b10ec55bd6,Sha256,"HTML page of uscellular-sso[.]com, gemini-sso[.]com and stargate-sso[.]com, contains https://nigga.okta[.]com/help/login",High ,Not on VT, 218 | 3aeba4ab4ed3a5005444f108e6e54bc50c8c02421c1e6cfceab915e1de5cf862 ,Sha256,HTML response of binance-sso[.]com and  epic-servicedesk[.]com ,High ,Not on VT, 219 | 53bb86ab4f9bf507d1f186b5be98f80960db4243afead96ef8ce6eafb2346587,Sha256,HTML response of grubhubsso[.]com ,High ,Not on VT, 220 | d03ce20518692e3c2adc3f578ba92cab5e19f014664438b729d431a24be1823f,Sha256,HTML response of login.servicenow-help[.]com,Medium,Not on VT, 221 | af1ddeab240bc7321e8c3dfc400ac8273e03af1ce0da9ed73e47570189795e4c ,Sha256,HTML response of uscc-hr[.]com placeholder - User ID ,High ,Not on VT, 222 | dd4782fc37ada8c2411fd65877eb3c3199aa67224ffa6c65b81c2e4b8658f727 ,Sha256,image hosted by several phishing domains,Low,Not on VT, 223 | c8ff5a54213c5ac0146b1ffe36974b07113f9f7060f951d5f80b93befa3b03f2,Sha256,"init.js on binance-us-okta[.]com okta-ouryahoo[.]com, louisvuitton-okta[.]com, binance-us-okta[.]com, stargate-okta[.]com, consensys-okta[.]com",Medium,Not on VT, 224 | ce91909e4a421b6377468d22c6d68438da717c300a1b1326177aab3d01b5abee,Sha256,login page of contact-sendgrid[.]com,Medium,0/63 on VT, 225 | 8293806652949fc5056d2b841ad30010a8e83e0e6adfb102ef83c73bdea074eb ,Sha256,login.css file found on several phishing domains,High ,Not on VT, 226 | 1d55d14c08eb1d61344f19d17f48b81cca3c4a24f54a0ee3707cf59b296db314 ,Sha256,"Matches YARA rule for ""https://nigga.okta[.]com/help/login""",Low,0/65 on VT, 227 | 2d640430ec60721437ca4d5ff64d16cb0d3febce2e206fa749a9f8e007f9a5ae ,Sha256,"Matches YARA rule for ""https://nigga.okta[.]com/help/login""",Medium,2/62 on VT, 228 | 8683370db6d2b7f5137199f0a6b012fcd09cfff6afb30064a23b3339927ed9c9 ,Sha256,"Matches YARA rule for ""https://nigga.okta[.]com/help/login""",Medium,0/65 on VT, 229 | 9833c1b277759b26478c88afe74680d5fbf3efff535dd803b1a3ebe4e7b8d466 ,Sha256,"Matches YARA rule for ""https://nigga.okta[.]com/help/login""",Low,0/65 on VT, 230 | c05d6607585f882476b6b7c9a39fd0bd2bb7ced3e469d5312971971048e2c594,Sha256,"Matches YARA rule for ""https://nigga.okta[.]com/help/login""",Low,0/65 on VT, 231 | d6cbc900942061d85477bda4dbfd7f77d823e8c08ebe80e1f9ff10bec20b5172 ,Sha256,"Matches YARA rule for ""https://nigga.okta[.]com/help/login""",Low,0/65 on VT, 232 | e534b01f04ad4721f7cde5e173a1098ae537d0f84a30d908d0eddae6a2fc4514,Sha256,"poll.js file on okta-ouryahoo[.]com, louisvuitton-okta[.]com, binance-us-okta[.]com, stargate-okta[.]com, consensys-okta[.]com",High ,Not on VT, 233 | --------------------------------------------------------------------------------