← Back to Pulse Feed
PULSE DETAIL
TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock "Hollow Library" assets into the environment pre-enforcement, ensuring total detection evasion.
The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB "hollowed" assets masquerade as signed updates for total penetration. In Infra/Bank/Gov sectors, TTB executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos
Indicators of Compromise (85)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-SHA256 | 64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b | — | 2026-03-04 | |
| FileHash-MD5 | cddfaa769d227e9b8c7d78be3169895d | — | 2026-03-04 | |
| FileHash-SHA1 | b719eff788239f59cec3f0ea4efab4aa5c8cfd28 | — | 2026-03-04 | |
| FileHash-SHA256 | 64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b | — | 2026-03-04 | |
| FileHash-MD5 | cddfaa769d227e9b8c7d78be3169895d | — | 2026-03-04 | |
| FileHash-SHA1 | b719eff788239f59cec3f0ea4efab4aa5c8cfd28 | — | 2026-03-04 | |
| FileHash-SHA256 | 64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b | — | 2026-03-04 | |
| FileHash-MD5 | dc84b0d741e5beae8070013addcc8c28 | MD5 of 81ff65efc4487853bdb4625559e69ab44f19e0f5efbd6d5b2af5e3ab267c8e06 | 2026-03-04 | |
| FileHash-SHA1 | 802f4a6a20cbf157aaf6c4e07e4301578d5936a2 | SHA1 of 81ff65efc4487853bdb4625559e69ab44f19e0f5efbd6d5b2af5e3ab267c8e06 | 2026-03-04 | |
| FileHash-SHA256 | 132609f1c2465b3448813fc059300fba647815301f32539f1b83c3c00a91bb78 | — | 2026-03-04 | |
| FileHash-SHA256 | 4df98d996551189e28df0f439b3d85954284cb2831684204a303c67273fe1f0d | — | 2026-03-04 | |
| FileHash-SHA256 | 513fb5d3b4195ab59af20da213df676c573c9e2ead0c08f2d409cec3b864de2e | — | 2026-03-04 | |
| FileHash-SHA256 | 686f58f6dc0979888dc6fa09e42c2316f12f3c8bec08834274de831789d4a22d | — | 2026-03-04 | |
| FileHash-SHA256 | 81ff65efc4487853bdb4625559e69ab44f19e0f5efbd6d5b2af5e3ab267c8e06 | — | 2026-03-04 | |
| FileHash-SHA256 | 83635d0334bfce5023029f98f0970083c15f2972d5b3d954c5f81e3e688e5de3 | — | 2026-03-04 | |
| FileHash-SHA256 | 9ad8bf8628c6374f5c5dd4317cf7f81af2622b8646ce4cfce0adaae8f576d21a | — | 2026-03-04 | |
| FileHash-SHA256 | a5c6d4dbae668479ccb9e50a7e8c3f3bd51efbdfae7ca1d1e079ea618c11631b | — | 2026-03-04 | |
| FileHash-SHA256 | ad27039abac3252c3b397bfe925afa85e1484f1af826849f277261441137ede5 | — | 2026-03-04 | |
| FileHash-SHA256 | aeb4d4eaf64889cb277fd5805284b5e16c092b3ddb51ad1f302fb9d8cdd4a5db | — | 2026-03-04 | |
| FileHash-SHA256 | bde3e9d91b89ccfd7b30f5a751a4202c5226d5a95d273b78eaacf4dfc6e06847 | — | 2026-03-04 | |
| FileHash-SHA256 | d0dc73214194b669345660b0c48ea9029b644b814c909015ceab07655cfda7ce | — | 2026-03-04 | |
| FileHash-SHA256 | dbf53275d4d64564e5a397b52bf358d30e53340e40a0ae4c94420babc8b3f541 | — | 2026-03-04 | |
| FileHash-SHA256 | e1224f0bf24e81445ce072eb044243028ebdfa99bfc9042452e933682696f85d | — | 2026-03-04 | |
| FileHash-SHA256 | eacad3e01b8b0a44ac030c8c169664dbbdde90c153b550c7b4e0609573df796d | — | 2026-03-04 | |
| URL | http://www.trustlist.adobe.com/eutl12.acrobatsecuritysettings | — | 2026-03-04 | |
| hostname | www.trustlist.adobe.com | — | 2026-03-04 | |
| FileHash-MD5 | d767908f93b7109b19ab81d2d6e8b42a | — | 2026-03-04 | |
| FileHash-SHA1 | d189fe6764aeffb4ebe4c799150265ef85219f63 | — | 2026-03-04 | |
| FileHash-SHA256 | c22700127d280b8b22134edf52c52d9f53199c04e7734b2be28eb547581631f7 | — | 2026-03-04 | |
| hostname | helper.leuleu.net | — | 2026-03-04 | |
| URL | https://www.morsecorp.com | — | 2026-03-04 | |
| domain | aaabankruptcycenter.com | — | 2026-03-04 | |
| domain | crysome.net | — | 2026-03-31 | |
| domain | anycourse.net | — | 2026-03-31 | |
| CVE | CVE-2017-5715 | Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. | 2026-04-03 | |
| URL | http://tempuri.org/Entity/Id9LR | — | 2026-04-03 | |
| CVE | CVE-2024-12345 | A vulnerability classified as problematic was found in INW Krbyyyzo 25.2002. Affected by this vulnerability is an unknown functionality of the file /gbo.aspx of the component Daily Huddle Site. The manipulation of the argument s leads to resource consumption. It is possible to launch the attack on the local host. Other endpoints might be affected as well. | 2026-04-04 | |
| domain | tiktikme.com | — | 2026-04-04 | |
| YARA | f67a928d4605c822f48c63cd795d4620285aba60 | — | 2026-04-05 | |
| YARA | bbc70440d2cb4e620b36e7c3b16ab96249825a2a | — | 2026-04-05 | |
| YARA | 69ece52fbb1991ee8f569b32063ff4b7cf25c3f2 | — | 2026-04-05 | |
| YARA | 3985f39cced37dc9b588bb1bd09c7d89f6bc7fed | — | 2026-04-05 | |
| YARA | 5b05170f0ffdcc3b740d25773d0de08869879b33 | — | 2026-04-06 | |
| YARA | 35a04b3434dfe52464f32a831cd350cdb8c5b679 | — | 2026-04-06 | |
| URL | http://103.203.175.90:81/fdScript/RootOfEBooks/E%20Book%20collection%20-%202024%20-%20D/CSE%20%20IT%20AIDS%20ML/Raspberry%20Pi%20linux-@Computer_IT_Engineering.pdf | — | 2026-04-07 | |
| URL | https://enterpriseenrollment.cohassetma.gov | — | 2026-04-07 | |
| hostname | 21.ip.gl.ply.gg | — | 2026-04-07 | |
| URL | https://us-east-2.protection.sophos.com/?d=windows.net&u=aHR0cHM6Ly9hM2Y5YzJiN2QxZTRmNmE4YjBjM2Q1ZTcuejIxLndlYi5jb3JlLndpbmRvd3MubmV0Lw==&i=NWQ3NmFjYTU0NWUxN2EwZTY5MGVlNjg0&t=UG5PUWVNTzRiVnpONVNDc3BVNjF2enRhTFp0SEtzekM3eWp5TGNOL1A0az0=&h=ed1a7a61590d445fb3c0115723d6b2c7&s=AVNPUEhUT0NFTkNSWVBUSVY7WyYbfDWV81TPVuojOa3bF5M3oqUL0SCUXZ8JcohgHQ | — | 2026-04-07 | |
| URL | https://a3f9c2b7d1e4f6a8b0c3d5e7.z21.web.core.windows.net | — | 2026-04-07 | |
| URL | http://com.apple/elizabeth_lockdown | — | 2026-04-07 | |
| CVE | CVE-2006-5051 | Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. | 2026-04-09 | |
| URL | http://n73rbw4eku3d5pgwqtb5fbat6ilkmqknajn2i5qdzuf4ze3soggphyyd.onion | — | 2026-04-09 | |
| domain | n73rbw4eku3d5pgwqtb5fbat6ilkmqknajn2i5qdzuf4ze3soggphyyd.onion | — | 2026-04-09 | |
| CVE | CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.) | 2026-04-09 | |
| CVE | CVE-2017-11317 | Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. | 2026-04-09 | |
| CVE | CVE-2010-2883 | Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information. | 2026-04-09 | |
| CVE | CVE-2013-6282 | The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013. | 2026-04-09 | |
| CVE | CVE-2018-8174 | A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | 2026-04-09 | |
| CVE | CVE-2014-3153 | The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. | 2026-04-09 | |
| URL | https://nightly.link/mpv-player/mpv/workflows/build/master/mpv-v0.41.0-dev-gc961c96af-23873313563-macos-15-intel.zip | — | 2026-04-09 | |
| hostname | paste.kealper.com | — | 2026-04-10 | |
| FileHash-MD5 | 2905f0153e982c3799bf5dc3e2b19bfc | MD5 of d87cce5b2d8f77fd71ea54d06f3c69a391d70434 | 2026-04-10 | |
| FileHash-SHA1 | d87cce5b2d8f77fd71ea54d06f3c69a391d70434 | — | 2026-04-10 | |
| FileHash-SHA256 | 06c7f62fd43d4f94335437f9c09e135265f2864c8f42c7ba1f1c4c553ba13899 | SHA256 of d87cce5b2d8f77fd71ea54d06f3c69a391d70434 | 2026-04-10 | |
| FileHash-MD5 | 2905f0153e982c3799bf5dc3e2b19bfc | MD5 of d87cce5b2d8f77fd71ea54d06f3c69a391d70434 | 2026-04-10 | |
| FileHash-SHA1 | d87cce5b2d8f77fd71ea54d06f3c69a391d70434 | — | 2026-04-10 | |
| FileHash-SHA256 | 06c7f62fd43d4f94335437f9c09e135265f2864c8f42c7ba1f1c4c553ba13899 | SHA256 of d87cce5b2d8f77fd71ea54d06f3c69a391d70434 | 2026-04-10 | |
| FileHash-MD5 | cddfaa769d227e9b8c7d78be3169895d | — | 2026-04-10 | |
| FileHash-SHA1 | b719eff788239f59cec3f0ea4efab4aa5c8cfd28 | — | 2026-04-10 | |
| FileHash-SHA256 | 64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b | — | 2026-04-10 | |
| hostname | join.irancell.ir | — | 2026-04-10 | |
| CVE | CVE-2017-17215 | Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code. | 2026-04-12 | |
| hostname | www.mediafire.com | — | 2026-04-26 | |
| hostname | nooay.nagahi.com | — | 2026-05-01 | |
| hostname | www.kilkeacastle.cohasset.ie | — | 2026-05-05 | |
| CVE | CVE-2026-41940 | cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. | 2026-05-05 | |
| domain | safaricampaign.apple | — | 2026-05-06 | |
| domain | floroth.de | — | 2026-05-06 | |
| URL | http://pdfkit.net/cohasset | — | 2026-05-07 | |
| URL | http://pdfkit.net/aclu | — | 2026-05-07 | |
| hostname | whois.arin.net | — | 2026-05-08 | |
| CVE | CVE-2020-0601 | A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. | 2026-05-13 | |
| domain | pdx.com | — | 2026-05-15 | |
| domain | ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh.com | — | 2026-05-15 | |
| hostname | 1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev | — | 2026-05-17 |