{ "type": "MD5", "indicator": "3870a9bf2ea5cfb7575310df875eecdb", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "3870a9bf2ea5cfb7575310df875eecdb", "validation": [], "base_indicator": { "id": 4225406361, "indicator": "3870a9bf2ea5cfb7575310df875eecdb", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "699bf39a4b96d1d4236cf91f", "name": "Suspicious PDF Analysis+Behavioral Summary", "description": "Analysis of network and process logs indicates an attempt to undermine the system\u2019s Root of Trust by manipulating certificate validation files. The attacker is likely using Man-in-the-Middle techniques to force the system to accept revoked or fraudulent certificates. Additionally, suspicious activity within Adobe processes suggests that software update mechanisms are being hijacked to execute malicious code. Immediate isolation is required to prevent the installation of unauthorized software or the interception of encrypted data.", "modified": "2026-05-15T17:51:27.499000", "created": "2026-02-23T06:28:42.282000", "tags": [ "" ], "references": [ "", "TLP: AMBER" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1892, "FileHash-SHA256": 9944, "FileHash-MD5": 1802, "URL": 225, "hostname": 445, "domain": 284, "CVE": 91, "SSLCertFingerprint": 2, "email": 14, "CIDR": 5 }, "indicator_count": 14704, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "699969651d3b082f6b583fae", "name": "PDFKIT.net", "description": "Data Points. Search tall components CVE's for more info on this.", "modified": "2026-05-15T17:51:25.327000", "created": "2026-02-21T08:14:29.258000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 370, "hostname": 444, "FileHash-SHA1": 1292, "FileHash-SHA256": 4069, "URL": 192, "FileHash-MD5": 1255, "email": 16, "CVE": 58 }, "indicator_count": 7696, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69af893470b7e6640dfe4f8e", "name": "TROJAN EXE hash", "description": "MALWARE", "modified": "2026-04-09T03:25:31.155000", "created": "2026-03-10T03:00:04.861000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 921, "FileHash-SHA1": 863, "FileHash-SHA256": 1973, "hostname": 675, "domain": 44, "URL": 214, "email": 2 }, "indicator_count": 4692, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69aa842cef967c844adef1de", "name": "CAPE Sandbox part 2 - see part 1", "description": "heartbreaking", "modified": "2026-04-05T11:04:28.804000", "created": "2026-03-06T07:37:16.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3905, "FileHash-SHA1": 3515, "FileHash-SHA256": 8002, "URL": 982, "hostname": 2532, "domain": 164, "email": 1 }, "indicator_count": 19101, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69aa53582de113e05d102700", "name": "CORRUPT.", "description": "the only wizard I like is Harry", "modified": "2026-04-05T07:38:31.088000", "created": "2026-03-06T04:08:56.281000", "tags": [ "inno setup", "linker", "pe32", "intel", "ms windows", "win32 exe", "pecompact", "pe32 installer", "module", "professional", "delphi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1181, "FileHash-SHA1": 1182, "FileHash-SHA256": 3383, "URL": 218, "domain": 59, "hostname": 646, "email": 1 }, "indicator_count": 6670, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69a8fff72a02303057d559c9", "name": "http://paragonparkbook.wordpress.com/", "description": "another Ma expired cert and unsigned dnssec. Creation Date\t2000-03-03T04:13:23\nDnssec\tunsigned\nDomain Name\tWORDPRESS.COM\nDomain Name\twordpress.com\nEmails\tdomains@automattic.com.80 Title\t301 Moved Permanently\n80 Body\thtml head title 301 Moved Permanently /title /head body center h1 301 Moved Permanently /h1 /center hr center nginx /center /body /html\n80 Header\tHTTP/1.1 301 Moved Permanently Server: nginx Date: Thu 05 Mar 2026 03:55:19 GMT Content Type: text/html Content Length: 162 Connection: keep alive Location: https://paragonparkbook.wordpress.com/ Alt Svc: h3= :443 ma=86400 Server Timing: a8c cdn dc desc=sea cache desc=BYPASS dur=0.0\n443 Title\tThe History of Paragon Park When Summer Meant Everything: The Enduring Legacy of Paragon Park\n443 A Domains\tparagonparkbook.wordpress.com", "modified": "2026-04-04T05:18:12.440000", "created": "2026-03-05T04:00:55.226000", "tags": [ "certificate", "value", "a domains", "found a", "server", "gmt content", "length", "header http2", "arizona", "scottsdale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 138, "domain": 377, "URL": 117, "hostname": 95, "FileHash-MD5": 144, "email": 3, "FileHash-SHA256": 1162 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69a8bf1c40de166b01605b97", "name": "pdfkit.net", "description": "Facebook.com has been closed down because of a security breach, but its users have been able to access a link to a website set up to monitor what is going on in the UK and Ireland. <--- this text was already here when running pdfkit.net stats. Interesting.", "modified": "2026-04-03T23:13:53.390000", "created": "2026-03-04T23:24:12.962000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 200, "FileHash-SHA1": 200, "FileHash-SHA256": 800, "domain": 8, "hostname": 7, "URL": 9 }, "indicator_count": 1224, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "699e98024aa93957a620e117", "name": "Cellbrite Domain Irregularities", "description": "The domain displays a \"hardened\" posture typical of high-value targets, though some indicators suggest potential misconfigurations or recent shifts in ownership/management. The domain utilizes multiple clientProhibited flags (Transfer, Update, Delete). This is a \"Registry Lock\" equivalent, ensuring no changes can be made without out-of-band authentication.\n\nExpiration Discrepancy: * Domain Expiration: Feb 24, 2026. (yesterday)\n\nSSL Certificate Validity: April 2026.\nresearcher observations: It is highly irregular for a certificate to outlast the domain registration. This often points to a \"just-in-time\" renewal process or a domain that was recently recovered. Furthermore, the reliance on ParkLogic nameservers indicates a sophisticated approach to traffic routing, likely for load balancing or threat mitigation. Delegation signed: No - Expiration Yesterday (entered 1:32est 2/25/26)", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-25T06:34:42.619000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 431, "hostname": 1625, "FileHash-SHA1": 661, "FileHash-SHA256": 4617, "URL": 359, "FileHash-MD5": 635, "CVE": 43, "email": 22, "CIDR": 6 }, "indicator_count": 8399, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "699fbc709300e0ad353443f8", "name": "SLIMWARE Simple Installer WIN 32 EXE", "description": "The full text of the full transcript of this year's EU Referendum, which will take place on 26 March 2017, has been published on Facebook and Twitter, with the hashtag \"proceeding\".", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-26T03:22:24.798000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 78, "FileHash-SHA1": 76, "FileHash-SHA256": 1466, "domain": 268, "hostname": 199, "URL": 193, "CVE": 23, "CIDR": 1, "email": 3 }, "indicator_count": 2307, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69a22cb9bd33f0864dcff75d", "name": "Crypto Indicators Active", "description": "unresolved crypto concerning domains/certs", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T23:46:01.622000", "tags": [ "code", "email", "home depot", "llc registrar", "iana id", "csc corporate", "domains", "server", "registrar abuse", "admin country", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 9, "hostname": 346, "domain": 83, "URL": 54, "FileHash-MD5": 460, "FileHash-SHA1": 463, "FileHash-SHA256": 1551, "CIDR": 8 }, "indicator_count": 2974, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69a2564d6b11ea5075bae4f5", "name": "Master Converter EXE", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-28T02:43:25.079000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 54, "FileHash-SHA256": 370, "domain": 22, "hostname": 8, "URL": 10, "CVE": 1 }, "indicator_count": 564, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69a41550b8b37c992c61ac2f", "name": "Document Exploit-Suspect US Origin", "description": "Cards: YOTAVeoAvJfShHHrPeUkwRe9:YvXKXyPx5pBMGUUUkee9 - here is the full text", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T10:30:40.561000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 87, "FileHash-SHA256": 382, "hostname": 15, "domain": 8, "URL": 5, "CVE": 1 }, "indicator_count": 586, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "", "as15169", "TLP: AMBER" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act" ], "malware_families": [], "industries": [ "" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "699bf39a4b96d1d4236cf91f", "name": "Suspicious PDF Analysis+Behavioral Summary", "description": "Analysis of network and process logs indicates an attempt to undermine the system\u2019s Root of Trust by manipulating certificate validation files. The attacker is likely using Man-in-the-Middle techniques to force the system to accept revoked or fraudulent certificates. Additionally, suspicious activity within Adobe processes suggests that software update mechanisms are being hijacked to execute malicious code. Immediate isolation is required to prevent the installation of unauthorized software or the interception of encrypted data.", "modified": "2026-05-15T17:51:27.499000", "created": "2026-02-23T06:28:42.282000", "tags": [ "" ], "references": [ "", "TLP: AMBER" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1892, "FileHash-SHA256": 9944, "FileHash-MD5": 1802, "URL": 225, "hostname": 445, "domain": 284, "CVE": 91, "SSLCertFingerprint": 2, "email": 14, "CIDR": 5 }, "indicator_count": 14704, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "699969651d3b082f6b583fae", "name": "PDFKIT.net", "description": "Data Points. Search tall components CVE's for more info on this.", "modified": "2026-05-15T17:51:25.327000", "created": "2026-02-21T08:14:29.258000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 370, "hostname": 444, "FileHash-SHA1": 1292, "FileHash-SHA256": 4069, "URL": 192, "FileHash-MD5": 1255, "email": 16, "CVE": 58 }, "indicator_count": 7696, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69af893470b7e6640dfe4f8e", "name": "TROJAN EXE hash", "description": "MALWARE", "modified": "2026-04-09T03:25:31.155000", "created": "2026-03-10T03:00:04.861000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 921, "FileHash-SHA1": 863, "FileHash-SHA256": 1973, "hostname": 675, "domain": 44, "URL": 214, "email": 2 }, "indicator_count": 4692, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69aa842cef967c844adef1de", "name": "CAPE Sandbox part 2 - see part 1", "description": "heartbreaking", "modified": "2026-04-05T11:04:28.804000", "created": "2026-03-06T07:37:16.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3905, "FileHash-SHA1": 3515, "FileHash-SHA256": 8002, "URL": 982, "hostname": 2532, "domain": 164, "email": 1 }, "indicator_count": 19101, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69aa53582de113e05d102700", "name": "CORRUPT.", "description": "the only wizard I like is Harry", "modified": "2026-04-05T07:38:31.088000", "created": "2026-03-06T04:08:56.281000", "tags": [ "inno setup", "linker", "pe32", "intel", "ms windows", "win32 exe", "pecompact", "pe32 installer", "module", "professional", "delphi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1181, "FileHash-SHA1": 1182, "FileHash-SHA256": 3383, "URL": 218, "domain": 59, "hostname": 646, "email": 1 }, "indicator_count": 6670, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69a8fff72a02303057d559c9", "name": "http://paragonparkbook.wordpress.com/", "description": "another Ma expired cert and unsigned dnssec. Creation Date\t2000-03-03T04:13:23\nDnssec\tunsigned\nDomain Name\tWORDPRESS.COM\nDomain Name\twordpress.com\nEmails\tdomains@automattic.com.80 Title\t301 Moved Permanently\n80 Body\thtml head title 301 Moved Permanently /title /head body center h1 301 Moved Permanently /h1 /center hr center nginx /center /body /html\n80 Header\tHTTP/1.1 301 Moved Permanently Server: nginx Date: Thu 05 Mar 2026 03:55:19 GMT Content Type: text/html Content Length: 162 Connection: keep alive Location: https://paragonparkbook.wordpress.com/ Alt Svc: h3= :443 ma=86400 Server Timing: a8c cdn dc desc=sea cache desc=BYPASS dur=0.0\n443 Title\tThe History of Paragon Park When Summer Meant Everything: The Enduring Legacy of Paragon Park\n443 A Domains\tparagonparkbook.wordpress.com", "modified": "2026-04-04T05:18:12.440000", "created": "2026-03-05T04:00:55.226000", "tags": [ "certificate", "value", "a domains", "found a", "server", "gmt content", "length", "header http2", "arizona", "scottsdale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 138, "domain": 377, "URL": 117, "hostname": 95, "FileHash-MD5": 144, "email": 3, "FileHash-SHA256": 1162 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69a8bf1c40de166b01605b97", "name": "pdfkit.net", "description": "Facebook.com has been closed down because of a security breach, but its users have been able to access a link to a website set up to monitor what is going on in the UK and Ireland. <--- this text was already here when running pdfkit.net stats. Interesting.", "modified": "2026-04-03T23:13:53.390000", "created": "2026-03-04T23:24:12.962000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 200, "FileHash-SHA1": 200, "FileHash-SHA256": 800, "domain": 8, "hostname": 7, "URL": 9 }, "indicator_count": 1224, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "699e98024aa93957a620e117", "name": "Cellbrite Domain Irregularities", "description": "The domain displays a \"hardened\" posture typical of high-value targets, though some indicators suggest potential misconfigurations or recent shifts in ownership/management. The domain utilizes multiple clientProhibited flags (Transfer, Update, Delete). This is a \"Registry Lock\" equivalent, ensuring no changes can be made without out-of-band authentication.\n\nExpiration Discrepancy: * Domain Expiration: Feb 24, 2026. (yesterday)\n\nSSL Certificate Validity: April 2026.\nresearcher observations: It is highly irregular for a certificate to outlast the domain registration. This often points to a \"just-in-time\" renewal process or a domain that was recently recovered. Furthermore, the reliance on ParkLogic nameservers indicates a sophisticated approach to traffic routing, likely for load balancing or threat mitigation. Delegation signed: No - Expiration Yesterday (entered 1:32est 2/25/26)", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-25T06:34:42.619000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 431, "hostname": 1625, "FileHash-SHA1": 661, "FileHash-SHA256": 4617, "URL": 359, "FileHash-MD5": 635, "CVE": 43, "email": 22, "CIDR": 6 }, "indicator_count": 8399, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "699fbc709300e0ad353443f8", "name": "SLIMWARE Simple Installer WIN 32 EXE", "description": "The full text of the full transcript of this year's EU Referendum, which will take place on 26 March 2017, has been published on Facebook and Twitter, with the hashtag \"proceeding\".", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-26T03:22:24.798000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 78, "FileHash-SHA1": 76, "FileHash-SHA256": 1466, "domain": 268, "hostname": 199, "URL": 193, "CVE": 23, "CIDR": 1, "email": 3 }, "indicator_count": 2307, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "3870a9bf2ea5cfb7575310df875eecdb", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "3870a9bf2ea5cfb7575310df875eecdb", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780226321.6460066 }