← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Clone Pulse Reference
WHITE msudosos 2026-03-01 Modified: 2026-04-01
6754
IOCs
HIGH VOLUME
ipv4active relatedtrojandroppermtb junlowfitrojanmtb janfastly errorpleaseunitedttl valueget natotaldeletesearchyara detectionssinkhole cookievalue snkzwritesuspiciousransommalwareRansom.Win32.Birele.gsg CheckinAnubisNetworks Sinkhole Cookie Value SnkzPossible Compromised Hostdynamicloaderdelete cdefaultmediumwrite csettingswpadintelms windowsusersnumbertitleinstallertop sourcetop destinationsource sourceportfilehashav detectionsids detectionsyara rulegravityratdetectvmx00 x00x00x00doviacmdrootjobgetfilesupdateserverethernetidids signaturesexploitssid namemalware cvedns querydnsbin demodata exfilexif dataDNS Query for Webhook/HTTP Request Inspection Service (x .pipedrDNSBin Demo (requestbin .net) - Data Exfitrationsource portdestinationpresent sepscript urlsscript scripta domainsscript domainsip addressmetapresent novpassive dnsnext associateddomain addpe executableentriesshowmsiewindows ntwow64copypresent janpresent febdomainpulse pulsesurlsfilestam legalchristopher ahmannhttps://unicef.se/assets/appletreece alfreyhours agoinformationreport spamahmann coloradostatespecial couselcreatedexpirocapture
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Trojan:Win32/Neconyd.A PWS:Win32/QQpass.FC Trojan:Win32/Zombie.A Win.Malware.Urelas-9863836-0 ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn Win.Trojan.Vundo-7170412-0 #Lowfi:SuspiciousSectionName Multiple Malware’s , Trojans and Rats
Indicators of Compromise (1 / 6754 total)
All FileHash-SHA256 domain hostname URL CIDR FileHash-MD5 FileHash-SHA1 email CVE
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2026-20127 A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.  2026-03-01
References (9)
↗ Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN ↗ Fastly Error and Palantir blocked several times over the last few months. ↗ Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,) ↗ IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc. ↗ Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN ↗ Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\ewiuer2.exe SCRIPT ↗ Win.Trojan.Vundo-7170412-0 #Lowfi:SuspiciousSectionName ↗ Link below used to defraud Tsara to think she’d violated Patriot Act warranting NSA , Palinter espionage ↗ https://unicef.se/assets/apple