{ "type": "Domain", "indicator": "a.ph", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/a.ph", "alexa": "http://www.alexa.com/siteinfo/a.ph", "indicator": "a.ph", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2813932419, "indicator": "a.ph", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69d3532c76eb3bf5edd9609b", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:08.181000", "created": "2026-04-06T06:31:08.181000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d3532a6537880f6e2c68dc", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:06.730000", "created": "2026-04-06T06:31:06.730000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693cdc5b8ebc10664439c2fb", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado", "description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.", "modified": "2026-02-10T06:05:39.764000", "created": "2025-12-13T03:24:11.414000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6963596c4cd594b77b4675ec", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ", "description": "", "modified": "2026-02-10T06:05:39.764000", "created": "2026-01-11T08:03:56.534000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": "693cdc5b8ebc10664439c2fb", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb9815816db0de034f3a3", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:17.285000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb98c440c1c45ec12ccdc", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:28.063000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb98d9818cca8f130c195", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:29.619000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb998c3b7662e5059b6c2", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:40.759000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c8f50527fb73205bfca", "name": "Dreamhost.com - Drift Widget", "description": "", "modified": "2023-12-06T15:00:31.809000", "created": "2023-12-06T15:00:31.809000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 174, "domain": 464, "URL": 1119, "hostname": 156, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 1916, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708b72abe90961af1737c9", "name": "reCAPTCHA", "description": "", "modified": "2023-12-06T14:55:46.172000", "created": "2023-12-06T14:55:46.172000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 362, "domain": 330, "URL": 1790, "hostname": 586, "email": 1 }, "indicator_count": 3069, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657080d20f7e10c1e37fcf89", "name": "TarrantCounty.com ~ 03.01.2022", "description": "", "modified": "2023-12-06T14:10:26.301000", "created": "2023-12-06T14:10:26.301000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1078, "domain": 838, "hostname": 1607, "URL": 4134, "email": 3, "FileHash-SHA1": 2, "CIDR": 4, "FileHash-MD5": 15 }, "indicator_count": 7681, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62676c65b80720b582b46037", "name": "Dreamhost.com - Drift Widget", "description": "function.1, a new version of JavaScript, has been added to the end of the year to make it easier for users to keep up with the latest developments in the search for a specific date.", "modified": "2022-05-25T00:04:03.622000", "created": "2022-04-26T03:52:05.599000", "tags": [ "template7class", "regexp", "root", "context", "match", "body", "template7", "error", "prop", "function", "date", "null", "slice", "void", "factory", "window", "find", "simple", "false", "hj", "object", "hotjar", "email", "typeof symbol", "typeof e", "telefon", "array", "survey", "meta", "cookie", "scroll", "keypress", "trident", "live", "fullscreen", "generic", "widget", "ciudad", "adore", "experiment", "mutation", "click", "pluginname", "hidden", "nttt", "fieldset", "class", "form", "fast", "jquery", "format", "february", "april", "june", "august", "nova", "paris", "tokyo", "easy", "speed", "back", "target", "copy", "kill", "this", "infinity", "accept", "locale", "custom build", "https", "boolean", "new boolean", "typeof", "typeerror", "bootstrap", "typeof t", "javascript", "show", "drift widget", "segoe ui", "emoji", "type", "copyright", "browse", "roboto", "helvetica neue", "arial", "noto", "apple color", "twitter", "typeof require", "modulenotfound", "font awesome", "typeof define", "script", "new date", "number", "trackevent", "string", "watched", "search", "clicked", "path", "starter", "download", "derek", "code", "esnull", "gtmphvk7ln", "closure library", "xdfunction", "reduceright", "vd", "g1f7wlmm0k2", "r420", "uint8array", "typeof d", "ieproto", "typeof n", "widgetrootqa", "driftconductor" ], "references": [ "xfe-URL-Dreamhost.com-stix2-2.1-export.json", "https://js.driftt.com/include/1650944100000/2y43hyefanc8.js", "https://www.google-analytics.com/plugins/ua/linkid.js", "https://www.googletagmanager.com/gtag/js?id=G-1F7WLMM0K2&l=dataLayer&cx=c", "https://www.google-analytics.com/gtm/optimize.js?id=GTM-PHVK7LN", "https://www.googletagmanager.com/gtm.js?id=GTM-TLN654", "https://kit.fontawesome.com/7d998cc9b7.js", "https://widget.trustpilot.com/bootstrap/v5/tp.widget.bootstrap.min.js", "https://www.dreamhost.com/assets/bootstrap-aa47564acfdf18ce859b8e1fd130d889920ae66415b3db4de8505d42a0477b09.css", "https://js.driftt.com/core?embedId=2y43hyefanc8®ion=US&forceShow=false&skipCampaigns=false&sessionId=5a8c1b8d-2626-4a43-a7a6-76e9416f2f52&sessionStarted=1650943819.009&campaignRefreshToken=a2d9846a-8932-4e3c-a8d5-878681a555e0&hideController=false&pageLoadStartTime=1650943817154&mode=CHAT&driftEnableLog=false", "https://js.driftt.com/core/chat?region=US&driftEnableLog=false&pageLoadStartTime=1650943817154", "https://vars.hotjar.com/box-4924254a9ce4dc9b959b6e4a9b662d60.html", "https://www.dreamhost.com/assets/scripts/bootstrap-7670fc8587f9fd0608d2af67f392281a9a4fbf4cb4252952ecb8d34f6ee286b3.js", "https://www.dreamhost.com/assets/scripts/webp-support-1dd791309dc3fa5b166a0a326e49345fe5acb5acbc1831f4c7be87efce1abf51.js", "https://www.dreamhost.com/assets/site-75a1aba399db4de4e4093997b8fc8ff8ec5e65b5f4258c9a658a5cacacbf6e0d.js", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "https://cdn.abrankings.com/js/client.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "hj", "display_name": "hj", "target": null }, { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 174, "URL": 1119, "domain": 464, "hostname": 156, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 1916, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1468 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6252df03791ceb2df29742fe", "name": "reCAPTCHA", "description": "var a,r, i,o, r, c+(((s>>>16)*c&65535)<<16, as well as the Object, to be used as a decoder.", "modified": "2022-05-10T00:02:48.350000", "created": "2022-04-10T13:43:30.961000", "tags": [ "arial", "roboto", "helvetica neue", "typesubmit", "webkitkeyframes", "typeerror", "typeof t", "string", "object", "typeof e", "symbol", "typeof symbol", "typeof window", "typeof self", "typeof r", "date", "body", "html", "typeof n", "error", "version", "shown", "click", "dataspy", "trident", "window", "lpmlightbox", "messaging1", "chat0", "href", "tabindex", "copyright", "closure library", "info", "smsclientapi", "null", "typeof", "regexp", "debug", "chat", "scraper", "cookie", "stop", "iframe", "explorer", "small", "seppuku", "jsloader", "token", "viewed", "kbcontentclick", "blank", "post", "document", "typeof storage", "unknownerror", "element", "overquerylimit", "requestdenied", "zeroresults", "notfound", "node", "edge", "android", "unknown", "false", "june", "generator", "marker", "hybrid", "month", "azaz09", "hours", "function", "number", "fullyear", "controller", "christ", "sufeffxa0", "class", "attr", "pseudo", "child", "js foundation", "typeof module", "directclick", "x22loansx22", "x221x22", "9o7nxzt", "x22applyx22", "x3dw", "x3dnew", "x22pageloadx22", "x22scriptx22", "x22uetqx22", "viewcontent", "addtocart", "purchase", "array", "customevent", "09af", "ver0", "tag0", "extdata0", "ua ch", "invalid", "license", "calltrkswap", "typeof s", "xmlhttprequest", "65535", "awindow", "cwm fjordbank", "activexobject", "tfunction", "sfunction", "yfunction", "googlendt" ], "references": [ "xfe-URL-ihagoogle.com-stix2-2.1-export.json", "http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js", "http://sedoparking.com/frmpark/ihagoogle.com/sedopark/park.js", "http://instantfwding.com/px.js?ch=1", "http://pxlgnpgecom-a.akamaihd.net/javascripts/browserfp.min.js?templateId=11&customerId=7CUHNT0E1", "https://pxlgnpgecom-a.akamaihd.net/javascripts/bfp_ssn.js?templateId=11", "https://s.thebrighttag.com/tag?site=9O7NXzt&H=-5nu6gjg&referrer=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%253A%2520Zeal%2520Credit%2520Union%2520-%2520Mortgages%26utm_term%3Dhouse%2520mortgage%26utm_content%3DMortgage%2520General&docReferrer=http%3A%2F%2Finstantfwding.com%2F&mode=v2&cf=7500150%2C7500152&btpdb.9O7NXzt.dGZjLjc1MDAxNTE=UkVRVUVTVFMuMA&btpdb.9O7NXzt.dGZjLjc1MTUyNDU=U0VTU0lPTg&btpdb.9O7N", "https://cdn.callrail.com/companies/448598242/66d5efd6cbf06378ea1f/12/swap.js", "https://bat.bing.com/bat.js", "https://tag.perfectaudience.com/serve/5f59021d1911b61034000d8d.js", "https://s.thebrighttag.com/tag?site=9O7NXzt&referrer=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%253A%2520Zeal%2520Credit%2520Union%2520-%2520Mortgages%26utm_term%3Dhouse%2520mortgage%26utm_content%3DMortgage%2520General&docReferrer=http%3A%2F%2Finstantfwding.com%2F&H=-5nu6gjg", "https://code.jquery.com/jquery-3.4.1.min.js?ver=3.4.1", "https://integration.silvercloudinc.com/js/bundle/vendor.js", "https://maps.googleapis.com/maps/api/js?key=AIzaSyAMbtdeFB5s623T4LwRldWj_Vdy2t4wLkw&libraries=places", "https://lptag.liveperson.net/tag/tag.js?site=22027291", "https://integration.silvercloudinc.com/js/bundle/8.engageware-bundle.js", "https://lptag.liveperson.net/lptag/api/account/22027291/configuration/applications/taglets/.jsonp?v=2.0&df=2&b=2", "https://pixel-geo.prfct.co/tagjs?a_id=131352&source=js_tag", "https://bat.bing.com/p/action/56358236.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/388043112/?random=1649597062436&cv=9&fst=1649597062436&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=2&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa3u0&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%3A%2520Zeal%2520Credit%2520", "https://lpcdn.lpsnmedia.net/le_re/3.50.0.1-release_5103/jsv2/overlay.js?_v=3.50.0.1-release_5103", "https://www.zealcu.org/app/uploads/cache/js/aggregated_single_eb9d05879e4cb943b965deb3cccf05ee.js", "https://integration.silvercloudinc.com/js/silvercloudjs/silvercloud.js", "https://js.callrail.com/group/0/66d5efd6cbf06378ea1f/02836fdf-c99c-4a90-b31b-373093db654e/poll.js?t=1649597153888&ids%5B%5D=448598242", "https://js.callrail.com/group/0/66d5efd6cbf06378ea1f/02836fdf-c99c-4a90-b31b-373093db654e/poll.js?t=1649598014683&ids%5B%5D=448598242", "https://www.zealcu.org/app/uploads/cache/css/aggregated_cd3154a65f0e94fa98c08398cba54caa.css", "https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfjFjMaAAAAACpmnf2RfTg2U2m4Cdnku25XccJW&co=aHR0cHM6Ly93d3cuemVhbGN1Lm9yZzo0NDM.&hl=en&v=Y-cOIEkAqcfDdup_qnnmkxIC&theme=light&size=normal&cb=j4msjl4zxy97", "https://va.idp.liveperson.net/postmessage/postmessage.min.html?bust=1649597064004&loc=https%3A%2F%2Fwww.zealcu.org", "https://bid.g.doubleclick.net/xbbe/pixel?d=KAE" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1790, "hostname": 586, "FileHash-SHA256": 362, "domain": 330, "email": 1 }, "indicator_count": 3069, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1483 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62276abfaa65cd33f64331f8", "name": "TarrantCounty.com ~ 03.01.2022", "description": "", "modified": "2022-04-07T00:04:02.553000", "created": "2022-03-08T14:39:59.235000", "tags": [ "march", "lookup go", "rescan add", "verdict report", "de summary", "http", "redirects links", "behaviour", "similar dom", "content api", "value", "search url", "search domain", "scan url", "url search", "domain scan", "url url", "motor vehicle", "aqb1", "eventsevent10", "meta", "show", "download go", "full url", "reverse dns", "resource", "windows nt", "win64", "khtml", "gecko", "response", "main", "milan", "apache", "paris", "accept" ], "references": [ "TarrantCounty3df.pdf", "TarantCounty2df.pdf", "TarrantCounty4df.pdf", "TarrantCounty5df.pdf", "tarrant23df.pdf", "TarrantCounty1df.pdf", "tarrantcounty.com:en:elections:Voter-Information:Voter- Registration.html%22,.pdf", "TarrantCounty6df.pdf", "TarrantCounty7df.pdf", "TarrantCounty10df.pdf", "TarrantCounty9df.pdf", "TarrantCounty17df.pdf", "TarrantCounty15df.pdf", "TarrantCounty12df.pdf", "TarrantCounty14df.pdf", "tarrantcounty8df.pdf", "TarrantCounty18df.pdf", "TarrantCounty19df.pdf", "TarrantCounty21df.pdf", "tarrantcounty22df.pdf", "TarrantCounty20df.pdf", "tarrantcountydf.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4134, "hostname": 1607, "domain": 838, "FileHash-SHA256": 1078, "FileHash-SHA1": 2, "email": 3, "CIDR": 4, "FileHash-MD5": 15 }, "indicator_count": 7681, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "tarrantcounty22df.pdf", "https://pixel-geo.prfct.co/tagjs?a_id=131352&source=js_tag", "1click-uninstaller.informer.com [Apple - access PE]", "TarrantCounty9df.pdf", "http://instantfwding.com/px.js?ch=1", "support.apple.com [nefarious]", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://www.dreamhost.com/assets/scripts/bootstrap-7670fc8587f9fd0608d2af67f392281a9a4fbf4cb4252952ecb8d34f6ee286b3.js", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://js.driftt.com/core/chat?region=US&driftEnableLog=false&pageLoadStartTime=1650943817154", "TarrantCounty3df.pdf", "https://code.jquery.com/jquery-3.4.1.min.js?ver=3.4.1", "TarrantCounty12df.pdf", "TarrantCounty6df.pdf", "https://kit.fontawesome.com/7d998cc9b7.js", "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "xfe-URL-Dreamhost.com-stix2-2.1-export.json", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/388043112/?random=1649597062436&cv=9&fst=1649597062436&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=2&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa3u0&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%3A%2520Zeal%2520Credit%2520", "TarrantCounty4df.pdf", "https://www.dreamhost.com/assets/site-75a1aba399db4de4e4093997b8fc8ff8ec5e65b5f4258c9a658a5cacacbf6e0d.js", "https://integration.silvercloudinc.com/js/bundle/vendor.js", "https://bat.bing.com/bat.js", "https://lptag.liveperson.net/tag/tag.js?site=22027291", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "TarrantCounty20df.pdf", "Legal court documented agreement to allow and pay target to hire cyber investigators", "https://js.callrail.com/group/0/66d5efd6cbf06378ea1f/02836fdf-c99c-4a90-b31b-373093db654e/poll.js?t=1649597153888&ids%5B%5D=448598242", "https://lptag.liveperson.net/lptag/api/account/22027291/configuration/applications/taglets/.jsonp?v=2.0&df=2&b=2", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "https://www.zealcu.org/app/uploads/cache/js/aggregated_single_eb9d05879e4cb943b965deb3cccf05ee.js", "https://khmerpornvideo.signup0.y.id/", "TarrantCounty14df.pdf", "https://www.googletagmanager.com/gtag/js?id=G-1F7WLMM0K2&l=dataLayer&cx=c", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://s.thebrighttag.com/tag?site=9O7NXzt&referrer=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%253A%2520Zeal%2520Credit%2520Union%2520-%2520Mortgages%26utm_term%3Dhouse%2520mortgage%26utm_content%3DMortgage%2520General&docReferrer=http%3A%2F%2Finstantfwding.com%2F&H=-5nu6gjg", "https://maps.googleapis.com/maps/api/js?key=AIzaSyAMbtdeFB5s623T4LwRldWj_Vdy2t4wLkw&libraries=places", "TarrantCounty21df.pdf", "https://maps.googleapis.com/maps/api/js?sensor=false", "TarrantCounty7df.pdf", "tarrant23df.pdf", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "https://lpcdn.lpsnmedia.net/le_re/3.50.0.1-release_5103/jsv2/overlay.js?_v=3.50.0.1-release_5103", "https://cdn.callrail.com/companies/448598242/66d5efd6cbf06378ea1f/12/swap.js", "https://www.dreamhost.com/assets/scripts/webp-support-1dd791309dc3fa5b166a0a326e49345fe5acb5acbc1831f4c7be87efce1abf51.js", "https://vars.hotjar.com/box-4924254a9ce4dc9b959b6e4a9b662d60.html", "TarrantCounty19df.pdf", "https://s.thebrighttag.com/tag?site=9O7NXzt&H=-5nu6gjg&referrer=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%253A%2520Zeal%2520Credit%2520Union%2520-%2520Mortgages%26utm_term%3Dhouse%2520mortgage%26utm_content%3DMortgage%2520General&docReferrer=http%3A%2F%2Finstantfwding.com%2F&mode=v2&cf=7500150%2C7500152&btpdb.9O7NXzt.dGZjLjc1MDAxNTE=UkVRVUVTVFMuMA&btpdb.9O7NXzt.dGZjLjc1MTUyNDU=U0VTU0lPTg&btpdb.9O7N", "https://js.driftt.com/include/1650944100000/2y43hyefanc8.js", "TarrantCounty10df.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "http://pxlgnpgecom-a.akamaihd.net/javascripts/browserfp.min.js?templateId=11&customerId=7CUHNT0E1", "https://www.google-analytics.com/gtm/optimize.js?id=GTM-PHVK7LN", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://integration.silvercloudinc.com/js/silvercloudjs/silvercloud.js", "https://js.driftt.com/core?embedId=2y43hyefanc8®ion=US&forceShow=false&skipCampaigns=false&sessionId=5a8c1b8d-2626-4a43-a7a6-76e9416f2f52&sessionStarted=1650943819.009&campaignRefreshToken=a2d9846a-8932-4e3c-a8d5-878681a555e0&hideController=false&pageLoadStartTime=1650943817154&mode=CHAT&driftEnableLog=false", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.zealcu.org/app/uploads/cache/css/aggregated_cd3154a65f0e94fa98c08398cba54caa.css", "http://ianswertomom.com/develop-wise-woman-within-yourself", "https://integration.silvercloudinc.com/js/bundle/8.engageware-bundle.js", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "https://www.dreamhost.com/assets/bootstrap-aa47564acfdf18ce859b8e1fd130d889920ae66415b3db4de8505d42a0477b09.css", "howtoworkacrickoutofyourneck2.pages.dev", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "tarrantcountydf.pdf", "cbi.com", "https://js.callrail.com/group/0/66d5efd6cbf06378ea1f/02836fdf-c99c-4a90-b31b-373093db654e/poll.js?t=1649598014683&ids%5B%5D=448598242", "https://tag.perfectaudience.com/serve/5f59021d1911b61034000d8d.js", "https://va.idp.liveperson.net/postmessage/postmessage.min.html?bust=1649597064004&loc=https%3A%2F%2Fwww.zealcu.org", "tarrantcounty8df.pdf", "https://widget.trustpilot.com/bootstrap/v5/tp.widget.bootstrap.min.js", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "https://pxlgnpgecom-a.akamaihd.net/javascripts/bfp_ssn.js?templateId=11", "TarrantCounty5df.pdf", "xfe-URL-ihagoogle.com-stix2-2.1-export.json", "cell-0.af-south-1.prod.telemetry.console.api.aws", "deviceinbox.com", "TarrantCounty15df.pdf", "TarantCounty2df.pdf", "https://cdn.abrankings.com/js/client.js", "https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfjFjMaAAAAACpmnf2RfTg2U2m4Cdnku25XccJW&co=aHR0cHM6Ly93d3cuemVhbGN1Lm9yZzo0NDM.&hl=en&v=Y-cOIEkAqcfDdup_qnnmkxIC&theme=light&size=normal&cb=j4msjl4zxy97", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "TarrantCounty17df.pdf", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "firebase-auth-eich0v.pages.dev", "https://www.google-analytics.com/plugins/ua/linkid.js", "https://www.googletagmanager.com/gtm.js?id=GTM-TLN654", "tarrantcounty.com:en:elections:Voter-Information:Voter- Registration.html%22,.pdf", "TarrantCounty1df.pdf", "https://bat.bing.com/p/action/56358236.js", "http://sedoparking.com/frmpark/ihagoogle.com/sedopark/park.js", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "http://mail.thyrsus.com/ [phishing]", "https://bid.g.doubleclick.net/xbbe/pixel?d=KAE", "caselaw.lawlink.com", "ppa.launchpad.net [Apple open use]", "TarrantCounty18df.pdf", "Attacks are being carried out by The State of Colorado", "https://clear.ml/infrastructure-control-plane" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Unix.trojan.gafgyt-6981154-0", "Alf:exploit:o97m/cve-2017-8977", "Nids", "Win.malware.mikey-9949492-0", "Cobalt strike", "Alf:trojan:win32/formbook", "Alf:trojan:powershell/dynamicloader", "Makop", "Trojandropper:win32/systex.a", "Virtool:win32/vbinject.gen!mh", "Lockbit", "Trojandownloader:win32/cutwailransom:win32/crowti.a", "Quasar rat", "Unix.trojan.tsunami-6981155-0", "Trojan:win32/qbot.r!mtb", "#lowfi:hstr:criakl.b1", "Formbook", "Cve-2017-11882", "Reduceright", "Trojandownloader:win32/cutwail", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Backdoor:win32/arwobot.b", "Dark power", "Ransomexx (elf)", "Emotet", "Win.trojan.gravityrat-6511862-0", "Backdoor:linux/demonbot.aa!mtb", "Vd", "Win.trojan.tepfer-61", "Ddos:linux/gafgyt.ya!mtb", "Pws:win32/xport", "Pegasus", "Cycbot", "Hacktool", "Mirai (elf)", "Hj", "Win32:botx-gen\\ [trj]", "Worm:win32/bloored.e", "Lumma stealer", "Win.downloader.small-4507", "Ransom:win32/makop", "Ransom:win32/crowti.a", "Alf:nid:susp_nsis_stub.a", "Win.packed.bandook-9882274-1", "Qakbot", "Worm" ], "industries": [ "Insurance", "Government", "Construction" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69d3532c76eb3bf5edd9609b", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:08.181000", "created": "2026-04-06T06:31:08.181000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d3532a6537880f6e2c68dc", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:06.730000", "created": "2026-04-06T06:31:06.730000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693cdc5b8ebc10664439c2fb", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado", "description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.", "modified": "2026-02-10T06:05:39.764000", "created": "2025-12-13T03:24:11.414000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6963596c4cd594b77b4675ec", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ", "description": "", "modified": "2026-02-10T06:05:39.764000", "created": "2026-01-11T08:03:56.534000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": "693cdc5b8ebc10664439c2fb", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb9815816db0de034f3a3", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:17.285000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb98c440c1c45ec12ccdc", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:28.063000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb98d9818cca8f130c195", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:29.619000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb998c3b7662e5059b6c2", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:40.759000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c8f50527fb73205bfca", "name": "Dreamhost.com - Drift Widget", "description": "", "modified": "2023-12-06T15:00:31.809000", "created": "2023-12-06T15:00:31.809000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 174, "domain": 464, "URL": 1119, "hostname": 156, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 1916, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708b72abe90961af1737c9", "name": "reCAPTCHA", "description": "", "modified": "2023-12-06T14:55:46.172000", "created": "2023-12-06T14:55:46.172000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 362, "domain": 330, "URL": 1790, "hostname": 586, "email": 1 }, "indicator_count": 3069, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "a.ph", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "a.ph", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780319202.4732175 }