{ "type": "Domain", "indicator": "aa.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/aa.com", "alexa": "http://www.alexa.com/siteinfo/aa.com", "indicator": "aa.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #3082", "name": "Akamai Popular Domain" }, { "source": "alexa", "message": "Alexa rank: #593", "name": "Listed on Alexa" }, { "source": "majestic", "message": "Whitelisted domain aa.com", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain aa.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2358199736, "indicator": "aa.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T12:02:15.044000", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 5 }, "indicator_count": 18414, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 04.24.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-05-24T21:18:51.782000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 53, "FileHash-SHA1": 16, "FileHash-SHA256": 1059, "URL": 6374, "domain": 3314, "email": 1395, "hostname": 3740, "CVE": 1 }, "indicator_count": 15999, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c3b796fcaed878ca94c5c", "name": "https://m.vzw.com/wIvzrd8", "description": "the wizard", "modified": "2026-04-18T05:30:18.690000", "created": "2026-02-23T11:35:21.673000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1818, "hostname": 575, "URL": 200, "FileHash-SHA1": 450, "CIDR": 11, "domain": 887, "email": 7, "FileHash-MD5": 402, "CVE": 21 }, "indicator_count": 4371, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b61e16cea7624a6606a69", "name": "For Later", "description": "***", "modified": "2025-11-17T18:46:19.094000", "created": "2025-11-17T17:56:49.875000", "tags": [ "wormhole", "want", "sign", "submit send", "copy", "share show", "report delete", "faq roadmap", "security legal", "twitter discord", "protected" ], "references": [ "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72127, "hostname": 16700, "URL": 50 }, "indicator_count": 88877, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e9c8e63a72c7cb531a58ba", "name": "08.09.24 URLscanio 2 weeks.csv", "description": "", "modified": "2025-10-25T02:09:23.619000", "created": "2024-09-17T18:22:30.731000", "tags": [], "references": [ "https://x.com/NorrisN60014/status/1836092481978486802", "https://x.com/NorrisN60014/status/1836092481978486802", "https://www.hybrid-analysis.com/sample/a4f03d9a35524a7c0596777ea2b1fe5d98161b2462435e6056e4e39eb869396d/66e9ae1eb806d5b3300b842f", "https://viz.greynoise.io/analysis/79a3ab55-982c-4fb7-9952-abde6f1219c2", "https://www.filescan.io/uploads/66e9b5494a48170ff00c8102/reports", "https://report.netcraft.com/submission/9R7KbGQKOvzU9GBdraRBpUJ4C", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 6, "URL": 1074, "domain": 1530, "email": 2, "hostname": 2849 }, "indicator_count": 5464, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e6547f22d43d6d149cac7a", "name": "RedCap Abuse | The 1st Pulse was deleted from OTX . AlienVault", "description": "Another example of target working with a hacker impersonating some7he.sje was not. The hackers had the perfect opportunity to stay attached to Dropbox, photos. microphone and highlighted heavily targets location. || Target was suspicious about several issues related to pair. Hacker has only one piece of equipment for project. Target basically had to give him all , tips, cues and direction for project. If this Pulse is deleted I don't know what to think.", "modified": "2024-10-15T02:02:53.504000", "created": "2024-09-15T03:29:03.699000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "process32nextw", "intel", "ms windows", "united", "pe32", "search", "module load", "t1129", "read c", "default", "path", "write", "malware", "copy", "win32", "suspicious", "unknown", "united kingdom", "set cookie", "as43350 nforce", "script urls", "as55286", "status", "cookie", "trojan", "template", "showing", "entries", "body", "ransom", "meta", "a div", "div div", "ipv4", "script script", "as16276", "france unknown", "link", "span a", "span span", "span", "class", "pragma", "servers", "creation date", "emails", "domain", "expiration date", "cname", "aaaa", "certificate", "lowfitrojan", "hstr", "jsauto25 jun", "pm lowfitrojan", "related pulses", "file samples", "files matching", "show", "endpoints all", "trojan features", "date hash", "as15169 google", "as44273 host", "september", "de indicators", "domains", "hashes", "dynamicloader", "yara detections", "enigmaprotector", "high", "bios", "dynamic", "filehash", "yaxpax", "yapaxi", "zp6axi0", "cuckoo", "name servers", "domains ii", "for privacy", "redacted for", "next", "domain address", "alienvault name", "server", "flag", "contacted hosts", "process details", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata", "overview ip", "address", "files location", "flag united", "hostname", "files domain", "months ago", "created", "email", "modified", "filehashsha1", "filehashsha256", "white cve", "cyber", "xamzexpires300", "twitter", "xor ddos", "xorddos", "hacktool", "bazaarloader", "redcap", "formbook", "locky", "lockbit", "ransomware", "target", "ebury", "virustotal", "crypter", "shadowpad", "corrupt", "cryptor", "android", "xrat", "xtrat", "malicious", "honeypot", "fraud", "already", "behav", "ragnar locker", "swipper", "n\u2205 ip", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "execution", "dock", "persistence", "august", "asnone bulgaria", "sales", "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "whois lookups", "dnssec", "domain name", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "date", "dns replication", "record type", "ttl value", "msms33388520", "data", "cus starizona", "cngo daddy", "authority", "g2 validity" ], "references": [ "TrojanSpy:Win32/Nivdort.DE", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts: nids_malware_alert network_icmp persistence_autorun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "ALF:Trojan:Win32/Cassini_ade36583", "display_name": "ALF:Trojan:Win32/Cassini_ade36583", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "target": null }, { "id": "Ransom:Win32/Wannaren", "display_name": "Ransom:Win32/Wannaren", "target": "/malware/Ransom:Win32/Wannaren" }, { "id": "#LowfiTrojan:JS/Auto25", "display_name": "#LowfiTrojan:JS/Auto25", "target": "/malware/#LowfiTrojan:JS/Auto25" }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Win.Packed.XtremeRAT-9837419-0", "display_name": "Win.Packed.XtremeRAT-9837419-0", "target": null }, { "id": "Win.Packed.Kelios-10023944-0", "display_name": "Win.Packed.Kelios-10023944-0", "target": null }, { "id": "Win.Trojan.Unruy-5885", "display_name": "Win.Trojan.Unruy-5885", "target": null }, { "id": "Ebury", "display_name": "Ebury", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Swipper", "display_name": "Swipper", "target": null }, { "id": "N\u2205 IP", "display_name": "N\u2205 IP", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4315, "FileHash-MD5": 573, "FileHash-SHA1": 550, "FileHash-SHA256": 4114, "domain": 4757, "hostname": 2075, "SSLCertFingerprint": 5, "email": 14, "CIDR": 1 }, "indicator_count": 16404, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b0fa3624bf0384e427f2e7", "name": "Tracking Domains 4.2 - 08.19.24", "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)", "modified": "2024-09-04T15:01:01.432000", "created": "2024-08-05T16:13:42.563000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://viz.greynoise.io/query/AS4611", "https://urlscan.io/asn/AS4611", "https://urlscan.io/search/#asn:%22AS4611%22", "https://urlscan.io/asn/AS45090", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://viz.greynoise.io/query/AS45090", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6180, "FileHash-MD5": 1, "domain": 24921, "URL": 10854 }, "indicator_count": 41956, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b1f33258a8e26033b17", "name": "Tracking Domains - Part 4.1", "description": "More Tracking Domains", "modified": "2024-08-30T13:02:28.335000", "created": "2024-04-22T17:15:11.398000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 94496, "FileHash-MD5": 63, "domain": 112327, "URL": 166918, "FileHash-SHA1": 33, "FileHash-SHA256": 103, "CIDR": 216 }, "indicator_count": 374156, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b204ecfba63974dc1d8", "name": "Tracking Domains - Part 4", "description": "More Tracking Domains", "modified": "2024-05-22T17:04:45.215000", "created": "2024-04-22T17:15:12.353000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 792, "FileHash-MD5": 1, "domain": 5803, "URL": 2 }, "indicator_count": 6598, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6552d60aae6e1b3c22455088", "name": "Hive 0065", "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-14T02:06:02.329000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6552d6f5f56d2e9cd9e18a30", "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet", "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-14T02:09:57.370000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65568b00198f82af2e88d463", "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet", "description": "", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-16T21:34:56.016000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6552d6f5f56d2e9cd9e18a30", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6267e4381a37f5d6c26ec679", "name": "its all here", "description": "", "modified": "2022-05-26T00:02:33.465000", "created": "2022-04-26T12:23:20.647000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 282, "domain": 155, "FileHash-SHA256": 461, "URL": 501, "FileHash-MD5": 1 }, "indicator_count": 1400, "is_author": false, "is_subscribing": null, "subscriber_count": 397, "modified_text": "1466 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "https://viz.greynoise.io/query/AS4611", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "https://viz.greynoise.io/query/AS45090", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://urlscan.io/asn/AS45090", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "Domains Contacted api.nuget.org", "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.hybrid-analysis.com/sample/a4f03d9a35524a7c0596777ea2b1fe5d98161b2462435e6056e4e39eb869396d/66e9ae1eb806d5b3300b842f", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcn", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "https://urlscan.io/asn/AS4611", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "https://www.anyxxxtube.net/search-porn/", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity.com/ https://www.fidelity.com/", "https://x.com/NorrisN60014/status/1836092481978486802", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "Alerts: nids_malware_alert network_icmp persistence_autorun", "https://urlscan.io/search/#asn:%22AS4611%22", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "https://report.netcraft.com/submission/9R7KbGQKOvzU9GBdraRBpUJ4C", "URLscanio, FSio, vT", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "http://appleid.app", "https://n0paste.eu/UH6n5pD/", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "https://viz.greynoise.io/analysis/79a3ab55-982c-4fb7-9952-abde6f1219c2", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://bhive.nectar.social/rKvoMY", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.filescan.io/uploads/66e9b5494a48170ff00c8102/reports", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "TrojanSpy:Win32/Nivdort.DE" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/miner.ka!mtb", "Alf:heraklezeval:trojandownloader:win32/unruy", "Alf:heraklezeval:trojandownloader:win32/unruy!rfn", "Ebury", "Formbook", "Ransom:win32/wannaren", "Win32:trojanx-gen\\ [trj]", "Trojan:pdf/phish.rr!mtb", "Tofsee", "Win.trojan.unruy-5885", "Win.packed.kelios-10023944-0", "Trojan:bat/musecador", "Win64:trojan-gen", "Win.packed.xtremerat-9837419-0", "Trojan:win32/conbea!rfn", "Trojan:win32/startpage", "N\u2205 ip", "Trojan:win32/ausiv!rfn", "Trojanspy:win32/nivdort.de", "#lowfitrojan:js/auto25", "Swipper", ": alf:trojan:msil/azorult.ac!", "Alf:trojan:win32/cryptwrapper.rt!mtb", "Trojandropper:win32/qhost", "Trojan:msil/ursu.kp", "Alf:heraklezeval:trojan:win32/eqtonex.f", "Ransom:win32/haperlock", "Alf:heraklezeval:trojan:msil/gravityrat", "Locky", "Eternalrocks", "Alf:trojan:win32/cassini_ade36583", "Dnstrojan" ], "industries": [ "Education", "Transportation", "Technology", "Healthcare", "Government", "Retail", "Insurance", "Telecommunications", "Hospitality", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T12:02:15.044000", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 5 }, "indicator_count": 18414, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 04.24.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-05-24T21:18:51.782000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 53, "FileHash-SHA1": 16, "FileHash-SHA256": 1059, "URL": 6374, "domain": 3314, "email": 1395, "hostname": 3740, "CVE": 1 }, "indicator_count": 15999, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c3b796fcaed878ca94c5c", "name": "https://m.vzw.com/wIvzrd8", "description": "the wizard", "modified": "2026-04-18T05:30:18.690000", "created": "2026-02-23T11:35:21.673000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1818, "hostname": 575, "URL": 200, "FileHash-SHA1": 450, "CIDR": 11, "domain": 887, "email": 7, "FileHash-MD5": 402, "CVE": 21 }, "indicator_count": 4371, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b61e16cea7624a6606a69", "name": "For Later", "description": "***", "modified": "2025-11-17T18:46:19.094000", "created": "2025-11-17T17:56:49.875000", "tags": [ "wormhole", "want", "sign", "submit send", "copy", "share show", "report delete", "faq roadmap", "security legal", "twitter discord", "protected" ], "references": [ "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72127, "hostname": 16700, "URL": 50 }, "indicator_count": 88877, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e9c8e63a72c7cb531a58ba", "name": "08.09.24 URLscanio 2 weeks.csv", "description": "", "modified": "2025-10-25T02:09:23.619000", "created": "2024-09-17T18:22:30.731000", "tags": [], "references": [ "https://x.com/NorrisN60014/status/1836092481978486802", "https://x.com/NorrisN60014/status/1836092481978486802", "https://www.hybrid-analysis.com/sample/a4f03d9a35524a7c0596777ea2b1fe5d98161b2462435e6056e4e39eb869396d/66e9ae1eb806d5b3300b842f", "https://viz.greynoise.io/analysis/79a3ab55-982c-4fb7-9952-abde6f1219c2", "https://www.filescan.io/uploads/66e9b5494a48170ff00c8102/reports", "https://report.netcraft.com/submission/9R7KbGQKOvzU9GBdraRBpUJ4C", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 6, "URL": 1074, "domain": 1530, "email": 2, "hostname": 2849 }, "indicator_count": 5464, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e6547f22d43d6d149cac7a", "name": "RedCap Abuse | The 1st Pulse was deleted from OTX . AlienVault", "description": "Another example of target working with a hacker impersonating some7he.sje was not. The hackers had the perfect opportunity to stay attached to Dropbox, photos. microphone and highlighted heavily targets location. || Target was suspicious about several issues related to pair. Hacker has only one piece of equipment for project. Target basically had to give him all , tips, cues and direction for project. If this Pulse is deleted I don't know what to think.", "modified": "2024-10-15T02:02:53.504000", "created": "2024-09-15T03:29:03.699000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "process32nextw", "intel", "ms windows", "united", "pe32", "search", "module load", "t1129", "read c", "default", "path", "write", "malware", "copy", "win32", "suspicious", "unknown", "united kingdom", "set cookie", "as43350 nforce", "script urls", "as55286", "status", "cookie", "trojan", "template", "showing", "entries", "body", "ransom", "meta", "a div", "div div", "ipv4", "script script", "as16276", "france unknown", "link", "span a", "span span", "span", "class", "pragma", "servers", "creation date", "emails", "domain", "expiration date", "cname", "aaaa", "certificate", "lowfitrojan", "hstr", "jsauto25 jun", "pm lowfitrojan", "related pulses", "file samples", "files matching", "show", "endpoints all", "trojan features", "date hash", "as15169 google", "as44273 host", "september", "de indicators", "domains", "hashes", "dynamicloader", "yara detections", "enigmaprotector", "high", "bios", "dynamic", "filehash", "yaxpax", "yapaxi", "zp6axi0", "cuckoo", "name servers", "domains ii", "for privacy", "redacted for", "next", "domain address", "alienvault name", "server", "flag", "contacted hosts", "process details", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata", "overview ip", "address", "files location", "flag united", "hostname", "files domain", "months ago", "created", "email", "modified", "filehashsha1", "filehashsha256", "white cve", "cyber", "xamzexpires300", "twitter", "xor ddos", "xorddos", "hacktool", "bazaarloader", "redcap", "formbook", "locky", "lockbit", "ransomware", "target", "ebury", "virustotal", "crypter", "shadowpad", "corrupt", "cryptor", "android", "xrat", "xtrat", "malicious", "honeypot", "fraud", "already", "behav", "ragnar locker", "swipper", "n\u2205 ip", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "execution", "dock", "persistence", "august", "asnone bulgaria", "sales", "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "whois lookups", "dnssec", "domain name", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "date", "dns replication", "record type", "ttl value", "msms33388520", "data", "cus starizona", "cngo daddy", "authority", "g2 validity" ], "references": [ "TrojanSpy:Win32/Nivdort.DE", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts: nids_malware_alert network_icmp persistence_autorun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "ALF:Trojan:Win32/Cassini_ade36583", "display_name": "ALF:Trojan:Win32/Cassini_ade36583", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "target": null }, { "id": "Ransom:Win32/Wannaren", "display_name": "Ransom:Win32/Wannaren", "target": "/malware/Ransom:Win32/Wannaren" }, { "id": "#LowfiTrojan:JS/Auto25", "display_name": "#LowfiTrojan:JS/Auto25", "target": "/malware/#LowfiTrojan:JS/Auto25" }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Win.Packed.XtremeRAT-9837419-0", "display_name": "Win.Packed.XtremeRAT-9837419-0", "target": null }, { "id": "Win.Packed.Kelios-10023944-0", "display_name": "Win.Packed.Kelios-10023944-0", "target": null }, { "id": "Win.Trojan.Unruy-5885", "display_name": "Win.Trojan.Unruy-5885", "target": null }, { "id": "Ebury", "display_name": "Ebury", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Swipper", "display_name": "Swipper", "target": null }, { "id": "N\u2205 IP", "display_name": "N\u2205 IP", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4315, "FileHash-MD5": 573, "FileHash-SHA1": 550, "FileHash-SHA256": 4114, "domain": 4757, "hostname": 2075, "SSLCertFingerprint": 5, "email": 14, "CIDR": 1 }, "indicator_count": 16404, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b0fa3624bf0384e427f2e7", "name": "Tracking Domains 4.2 - 08.19.24", "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)", "modified": "2024-09-04T15:01:01.432000", "created": "2024-08-05T16:13:42.563000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://viz.greynoise.io/query/AS4611", "https://urlscan.io/asn/AS4611", "https://urlscan.io/search/#asn:%22AS4611%22", "https://urlscan.io/asn/AS45090", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://viz.greynoise.io/query/AS45090", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6180, "FileHash-MD5": 1, "domain": 24921, "URL": 10854 }, "indicator_count": 41956, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "aa.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "aa.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780256611.8758774 }