{ "type": "Domain", "indicator": "247superhost.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/247superhost.com", "alexa": "http://www.alexa.com/siteinfo/247superhost.com", "indicator": "247superhost.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3976158821, "indicator": "247superhost.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69f2dc7e076cbfe2d0f7eb90", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-30T04:37:18.870000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f2dc7db0bb5c5cdaec5a6c", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-04-30T04:53:09.713000", "created": "2026-04-30T04:37:17.546000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-24T13:20:48.450000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 108, "CIDR": 6 }, "indicator_count": 33118, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e99ca508b46127bd4d552a", "name": "94.152.58.192", "description": "Researchers have developed a new way of storing data on a computer that can be stored in a secure secure system, as well as a network of secure networks, for use in Syria, Iraq and Iran.", "modified": "2024-12-17T14:35:39.173000", "created": "2024-09-17T15:13:41.714000", "tags": [ "rticon serbian", "arabic libya", "vhash", "authentihash", "ssdeep", "ico rtgroupicon", "serbian arabic", "libya", "userprofile", "peexe c", "peexe", "user", "text c", "number", "ja3s", "win32 exe", "plik", "data rozwizania", "domena", "typ nazwa", "y0yxxhpr", "win32", "zawarte", "whasz", "oszczdno", "typ pliku", "biblioteka dll", "magia plik", "pe32 dla", "ms windows", "intel", "historical ssl", "whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2136, "domain": 6110, "URL": 6946, "hostname": 6003, "IPv4": 85, "FileHash-MD5": 406, "FileHash-SHA1": 402, "CVE": 2 }, "indicator_count": 22090, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "577 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "https://goo.gl/9p2vKq", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "T1110.001 (Brute Force: Password Guessing)", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "api.acumatica.flex.redteam.com", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "Obfuscation: XOR-based String Encryption (0x20)", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "dev-app.project-cicada.com \u2022 project-cicada.com", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "IDS Detections Gh0stCringe CnC Activity M2", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)" ], "malware_families": [ "Mirai", "Malware family: stealthworker / gobrut", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Cymt", "Trojandropper:win32/vb.il", "Win32:malob-bx", "Win.trojan.agent", "Virtool:win32/obfuscator.k", "Trojandownloader:win32/cutwail.bs", "Artro", "Doc.downloader.emotetred02220-9938909-0", "Ransom:win32/crowti.a", "Alf:heraklezeval:trojan:win32/clipbanker", "Et", "Trojandownloader:win32/upatre.aa", "Win.trojan.gh0strat-9955419-1" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69f2dc7e076cbfe2d0f7eb90", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-30T04:37:18.870000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f2dc7db0bb5c5cdaec5a6c", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-04-30T04:53:09.713000", "created": "2026-04-30T04:37:17.546000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-24T13:20:48.450000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 108, "CIDR": 6 }, "indicator_count": 33118, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e99ca508b46127bd4d552a", "name": "94.152.58.192", "description": "Researchers have developed a new way of storing data on a computer that can be stored in a secure secure system, as well as a network of secure networks, for use in Syria, Iraq and Iran.", "modified": "2024-12-17T14:35:39.173000", "created": "2024-09-17T15:13:41.714000", "tags": [ "rticon serbian", "arabic libya", "vhash", "authentihash", "ssdeep", "ico rtgroupicon", "serbian arabic", "libya", "userprofile", "peexe c", "peexe", "user", "text c", "number", "ja3s", "win32 exe", "plik", "data rozwizania", "domena", "typ nazwa", "y0yxxhpr", "win32", "zawarte", "whasz", "oszczdno", "typ pliku", "biblioteka dll", "magia plik", "pe32 dla", "ms windows", "intel", "historical ssl", "whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2136, "domain": 6110, "URL": 6946, "hostname": 6003, "IPv4": 85, "FileHash-MD5": 406, "FileHash-SHA1": 402, "CVE": 2 }, "indicator_count": 22090, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "577 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "247superhost.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "247superhost.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780254824.8696704 }