{"id":42232,"date":"2021-08-09T00:00:00","date_gmt":"2021-08-09T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html"},"modified":"2021-08-09T00:00:00","modified_gmt":"2021-08-09T00:00:00","slug":"cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/","title":{"rendered":"Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/cinobi-crypto-main.jpg\"><!-- Begin mPulse library --><!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,endpoints,research,articles, news, reports,cyber threats\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2021-08-09\"> <meta property=\"article:tag\" content=\"cyber threats\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html\"> <title>Cinobi Banking Trojan Targets Users of Cryptocurrency Exchanges with New Malvertising Campaign<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html\"><br \/>\n<meta property=\"og:title\" content=\"Cinobi Banking Trojan Targets Users of Cryptocurrency Exchanges with New Malvertising Campaign\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/cinobi-crypto-main.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Cinobi Banking Trojan Targets Users of Cryptocurrency Exchanges with New Malvertising Campaign\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/cinobi-crypto-main.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.543075783757\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"928063194\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9\">\n<div class=\"article-details\" role=\"heading\" readability=\"38\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">We found a new social engineering-based malvertising campaign targeting Japan that delivered a malicious application. The malicious application abused sideloading vulnerabilities to load and start the Cinobi banking trojan.<\/p>\n<p class=\"article-details__author-by\">By: Jaromir Horejsi, Joseph C Chen <time class=\"article-details__date\">August 09, 2021<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"42.094488188976\">\n<div readability=\"31.570866141732\">\n<p>In a <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/c\/this-week-in-security-news-operation-overtrap-targets-japanese-online-banking-users-and-everything-you-need-to-know-about-tax-scams.html\">previous blog entry<\/a>, we reported on a campaign, which we labeled \u201cOperation Overtrap,\u201d that targeted Japan with a new banking trojan called Cinobi. The campaign, which was perpetrated by a&nbsp; group we named \u201cWater Kappa,\u201d delivered Cinobi via spam. It also delivered the trojan using the Bottle exploit kit, which included newer Internet Explorer exploits <a href=\"https:\/\/twitter.com\/nao_sec\/status\/1381100024919035908\" target=\"_blank\" rel=\"noopener\">CVE-2020-1380<\/a> and <a href=\"https:\/\/twitter.com\/nao_sec\/status\/1384065957585248266\" target=\"_blank\" rel=\"noopener\">CVE-2021-26411<\/a> and was used for <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr?\/us\/security\/news\/cybercrime-and-digital-threats\/malvertising-when-online-ads-attack\">malvertising attacks<\/a> that was distributed only to Microsoft Internet Explorer users. Throughout 2020 and the first half of 2021, we observed limited activity from the Bottle exploit kit, with traffic decreasing during the middle of June \u2014 possibly indicating that the group was turning to new tools and techniques.<\/p>\n<p>Meanwhile, we found a new social engineering-based malvertising campaign targeting Japan that delivered a malicious application disguised as either a free porn game, a reward points application, or a video streaming application. The malicious application abused sideloading vulnerabilities to load and start the Cinobi banking trojan. We consider this to be a new campaign from Water Kappa that is aimed at users of web browsers other than Internet Explorer.<\/p>\n<p>Looking into the Cinobi sample, we found that the overall functionality remained relatively the same, but the configuration had been updated to include several Japanese cryptocurrency exchange websites as part of the target list. The group started to use Cinobi to steal the credentials of its victim\u2019s cryptocurrency account.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig1-cinobi-crypto.png\" alt=\"Timeline of Water Kappa\u2019s activities\"><figcaption>Figure 1. Timeline of Water Kappa\u2019s activities<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><span class=\"body-subhead-title\">Infection Routine<\/span><\/p>\n<p>The campaign\u2019s infection routine begins when a user received malvertisements that are disguised as advertisements of either Japanese animated porn games, reward points applications, or video streaming applications. While we have observed five different themes of their malvertisements, all of them attempt to trick victims into downloading the same archive with the same malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig2-cinobi-crypto.png\" alt=\"The landing page for downloading the malicious archive, disguised as a streaming application\"><figcaption>Figure 2. The landing page for downloading the malicious archive, disguised as a streaming application<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p>These malvertisements are likely cloned from legitimate websites by the malicious actor. Minor modifications are then applied, such as the removal of some buttons and the changing of certain information sections. The only buttons that are left lead to the new page \u2014 created by the malicious actor \u2014 that instructs the victims how to download and execute the application.<\/p>\n<p>After clicking on the button with the text \u201cindex.clientdownload.windows\u201d (as shown in figure 2), the landing page starts downloading the ZIP archive, which is followed by instructions for the victim on how to open, extract, and execute the main executable file. The other four malicious ads look visually different, but their behavior and landing page is similar.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig3-cinobi-crypto.png\" alt=\"Instructions for executing the streaming application\"><figcaption>Figure 3. Instructions for executing the streaming application<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>It is important to note that the access to the website is filtered based on the IP address. Non-Japanese IP addresses will see the following error message from Cloudflare.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig4-cinobi-crypto.png\" alt=\"Error shown when the application or game website is accessed from a non-Japanese IP address\"><figcaption>Figure 4. Error shown when the application or game website is accessed from a non-Japanese IP address<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><span class=\"body-subhead-title\">Analysis of the malware<\/span><\/p>\n<p>After extracting the ZIP archive, we noticed the listing seen in Figure 5. The files that we decided were interesting enough to be analyzed are marked in red.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig5-cinobi-crypto.png\" alt=\"Contents of the ZIP archive containing the game; malicious files are marked in red\"><figcaption>Figure 5. Contents of the ZIP archive containing the game; malicious files are marked in red<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"28.606811145511\">\n<div readability=\"9.5356037151703\">\n<p>Most files are legitimate ones taken from an older version of the \u201c<a href=\"https:\/\/www.logitech.com\/en-us\/product\/capture\" target=\"_blank\" rel=\"noopener\">Logitech Capture<\/a>\u201d application, dated 2018. The legitimate and signed LogiCapture.exe (08FB68EB741BF68F3CFC29A4AD3033D75AD57798ED826D926344015BDB8B0EBB) is instructed in LogiCapture.exe.config via <a href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/framework\/configure-apps\/file-schema\/appsettings\/appsettings-element-for-configuration\" target=\"_blank\" rel=\"noopener\">custom application settings<\/a> to load the Xjs.dll library.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig7-cinobi-crypto.png\" alt=\"The encrypted format.cfg shellcode\"><figcaption>Figure 7. The encrypted format.cfg shellcode<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig8-cinobi-crypto.png\" alt=\"The decrypted format.cfg shellcode; strings with file names and rundll32 command are visible\"><figcaption>Figure 8. The decrypted format.cfg shellcode; strings with file names and rundll32 command are visible<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.948096885813\">\n<div readability=\"20.418685121107\">\n<p>The shellcode embedded into format.cfg copies config.dll and cfg.config to the temporary directory %TEMP%, renames these files to a.dll and 1.txt, and executes the export function named \u201ca\u201d of the a.dll library via the following command:<\/p>\n<p><span class=\"blockquote\">rundll32.exe &#8220;%TEMP%\\a.dll&#8221;,a %TEMP%\\1.txt<\/span><\/p>\n<p>Config.dll (renamed to a.dll) resolves necessary APIs, loads the content of cfg.config (which is renamed to 1.txt), decrypts it with a XOR key, and executes the shellcode. The decrypted cfg.config is the first stage of the Cinobi baking trojan (as explained in our <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/c\/this-week-in-security-news-operation-overtrap-targets-japanese-online-banking-users-and-everything-you-need-to-know-about-tax-scams.html\">initial blogpost<\/a> from 2020).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig9-cinobi-crypto.png\" alt=\"Routine in config.dll that decrypts the cfg.config shellcode\"><figcaption>Figure 9. Routine in config.dll that decrypts the cfg.config shellcode<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig10-cinobi-crypto.png\" alt=\"Call instruction in Config.dll that executes the decrypted cfg.config shellcode\"><figcaption>Figure 10. Call instruction in Config.dll that executes the decrypted cfg.config shellcode<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"45.5\">\n<div readability=\"36\">\n<p>The Cinobi banking trojan is split into four stages, with each stage downloading additional components and possibly performing environment or anti-virtual machine (VM) checks. There are two command-and-control (C&amp;C) servers, with one of them returning stages 2 to 4, while the other one returns the configuration files.<\/p>\n<p>The malicious actor became more active in summer 2021 \u2014 we noticed a few more versions with slight differences from the ones described earlier. In addition to the application archive with four added malicious files (as shown in Figure 5), we also notice a refactored version of the archive with just three files (xjs.dll, format.cfg, and a file named \u201cros\u201d), only three stages, and a single C&amp;C server serving the configuration files.<\/p>\n<p>In the refactored version, Xjs.dll decrypts and loads format.cfg, which is the first stage of the Cinobi banker. This stage, unlike our description from last year\u2019s blog entry, does not download Tor and other additional stages from the first C&amp;C server. Instead, it reads and extracts files from the file called \u201cros\u201d, which is an encrypted package containing stages 2 and 3, a configuration file containing the C&amp;C server, and an archive with Tor.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig11-cinobi-crypto.png\" alt=\"The refactored Cinobi banker\"><figcaption>Figure 11: The refactored Cinobi banker<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39\">\n<div readability=\"23\">\n<p>The most important of these is the configuration file containing websites targeted by the form-grabbing functionality. At the time of writing, we noticed that the banking trojan targets users of 11 Japanese financial institutions, with at least three of these involved in cryptocurrency trading.<\/p>\n<p>When a victim using an infected machine accesses one of the websites mentioned in the configuration file and sends the filled-out form back to the server, the form-grabbing feature of the banker gets activated. In the following screenshots, we show examples of login forms with filled data.<\/p>\n<p>After clicking the submit button, a text file with an encrypted request briefly appears in the folder with the installed banking trojan. After the decryption of the temporary created text file, the highlighted stolen credentials can be seen.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig12-cinobi-crypto.png\" alt=\"fig12 part 1\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig12-2-cinobi-crypto.png\" alt=\"The targeted websites of companies dealing with cryptocurrencies\"><figcaption>Figure 12. The targeted websites of companies dealing with cryptocurrencies<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig13-cinobi-crypto.png\" alt=\"fig13-part1\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/fig13-2-cinobi-crypto.png\" alt=\"The decrypted requests; login credentials are highlighted in blue\"><figcaption>Figure 13. The decrypted requests; login credentials are highlighted in blue<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.207423580786\">\n<div readability=\"18.777292576419\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>The new malvertising campaign shows that Water Kappa is still active and continuously evolving their tools and techniques for greater financial gain \u2014 this one also aims to steal cryptocurrency. In order to minimize the chances of being infected, users need to be wary of suspicious advertisements on shady websites, and as much as possible, download applications only from trusted sources.<\/p>\n<p>Trend Micro solutions that offer&nbsp;<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection.html\">a multilayered defense system<\/a>&nbsp;can help organizations protect their employees from these kinds of campaigns by detecting, scanning, and blocking malicious URLs.<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-with-new-malvertising-campaign\/Appendix-Cinobi-Banking-Trojan-Targets-Crypto-Exchange.pdf\">This appendix<\/a> contains the complete indicators for this attack.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We found a new social engineering-based malvertising campaign targeting Japan that delivered a malicious application. The malicious application abused sideloading vulnerabilities to load and start the Cinobi banking trojan. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":42233,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9508,9513,9509],"class_list":["post-42232","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-09T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1146\" \/>\n\t<meta property=\"og:image:height\" content=\"835\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher\",\"datePublished\":\"2021-08-09T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/\"},\"wordCount\":1252,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/\",\"name\":\"Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher.png\",\"datePublished\":\"2021-08-09T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher.png\",\"width\":1146,\"height\":835},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/","og_locale":"en_US","og_type":"article","og_title":"Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-08-09T00:00:00+00:00","og_image":[{"width":1146,"height":835,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher","datePublished":"2021-08-09T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/"},"wordCount":1252,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/","url":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/","name":"Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher.png","datePublished":"2021-08-09T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher.png","width":1146,"height":835},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/cinobi-banking-trojan-targets-cryptocurrency-exchange-users-via-malvertising-threat-researcher-threat-researcher\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising Threat Researcher Threat Researcher"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42232"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42232\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42233"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}