{ "type": "Domain", "indicator": "accessprivatecloud.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/accessprivatecloud.com", "alexa": "http://www.alexa.com/siteinfo/accessprivatecloud.com", "indicator": "accessprivatecloud.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3144250062, "indicator": "accessprivatecloud.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "686ab98ff0cb9baa4e2b2000", "name": "https://house.mo.gov/ Palantir Technologies HARMFUL (copied OctoseekPulse) Attacks SA victims?", "description": "", "modified": "2025-08-05T21:02:46.419000", "created": "2025-07-06T17:59:43.440000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "65c96df8fe0657d56a206a49", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 251, "FileHash-SHA1": 211, "FileHash-SHA256": 3226, "domain": 1867, "URL": 10030, "hostname": 2919, "CVE": 7, "email": 6 }, "indicator_count": 18517, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d167a8cf2e7966af16a671", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:56.143000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d167a9c59fe757dc56b395", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:57.917000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3ae057e25854811cc1395", "name": "Mirai \u2022 Injection VT & AlienVault reports deleted & modified", "description": "", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-19T19:37:41.208000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": "65d167a9c59fe757dc56b395", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c96df8fe0657d56a206a49", "name": "Nokoyawa Ransomware - https://house.mo.gov/", "description": "Cyber attack including Pegasus found in https://house.mo.gov/\nThis Observed links: dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/Appears to attacking with heightened privilege escalation.\nLinks originated from https://safebae.org attack, various Westlaw links and links attacking a private citizen. HallRender is malware hosting domain featuring an aggressive 'Brian Sabey' representing self as attorney protecting white collar individuals accused of SA is attacker. Boldly contacts victims via mail, email, phone, text, invites, personal invitations to office. \n\nFront facing https://safebae.org, a 'tribute' domain may mention alleged SA victim Daisy Coleman. Research confirms no mention of 'Daisy' safebae is filled with cyber bullying toolkit; ransomware.csv, tracking, westlaw, tagging tools, pornhub, rallypoint, adult malvertizing content targeting a Colorado SA victim. \nIt's all very real but so unbelievable. Malware spreading, cyberthreat", "modified": "2024-03-13T00:02:54.335000", "created": "2024-02-12T01:01:44.323000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 194, "FileHash-SHA1": 191, "FileHash-SHA256": 2376, "domain": 1414, "URL": 4388, "hostname": 1699, "CVE": 4, "email": 5 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "http://nudeteenporn.site", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "\u2193\u2192Found in: https://house.mo.gov/\u2193", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "happyrabbit.kr [Apple iOS threat]", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "Yara Detections: GlassesCode", "demo.auth.civicalg.com.sni.cloudflaressl.com", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Ddos:linux/mirai", "Dark", "Win32/cmsbrute/pifagor", "Qbot", "Win32:trojan-gen", "Agent tesla", "Hallrender", "Win.trojan.6977536-1", "Win32:vitro", "Njrat", "Win.trojan.generic-6333842-0", "Win32:emotet-ai\\ [trj]", "Ursnif", "Azorult", "Et", "Flubot", "Nsis", "Nebuler/dialer.qn", "Qakbot", "Win32/dh{gvijaw?}", "Hacktool", "Elf:ddos-y\\ [trj]", "Trojan:win32/tinba!rfn", "Bandit stealer", "Nokoyawa ransomware", "Tulach", "Maze", "Emotet", "Djvu" ], "industries": [ "Civil society" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "686ab98ff0cb9baa4e2b2000", "name": "https://house.mo.gov/ Palantir Technologies HARMFUL (copied OctoseekPulse) Attacks SA victims?", "description": "", "modified": "2025-08-05T21:02:46.419000", "created": "2025-07-06T17:59:43.440000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "65c96df8fe0657d56a206a49", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 251, "FileHash-SHA1": 211, "FileHash-SHA256": 3226, "domain": 1867, "URL": 10030, "hostname": 2919, "CVE": 7, "email": 6 }, "indicator_count": 18517, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d167a8cf2e7966af16a671", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:56.143000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d167a9c59fe757dc56b395", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:57.917000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3ae057e25854811cc1395", "name": "Mirai \u2022 Injection VT & AlienVault reports deleted & modified", "description": "", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-19T19:37:41.208000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": "65d167a9c59fe757dc56b395", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c96df8fe0657d56a206a49", "name": "Nokoyawa Ransomware - https://house.mo.gov/", "description": "Cyber attack including Pegasus found in https://house.mo.gov/\nThis Observed links: dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/Appears to attacking with heightened privilege escalation.\nLinks originated from https://safebae.org attack, various Westlaw links and links attacking a private citizen. HallRender is malware hosting domain featuring an aggressive 'Brian Sabey' representing self as attorney protecting white collar individuals accused of SA is attacker. Boldly contacts victims via mail, email, phone, text, invites, personal invitations to office. \n\nFront facing https://safebae.org, a 'tribute' domain may mention alleged SA victim Daisy Coleman. Research confirms no mention of 'Daisy' safebae is filled with cyber bullying toolkit; ransomware.csv, tracking, westlaw, tagging tools, pornhub, rallypoint, adult malvertizing content targeting a Colorado SA victim. \nIt's all very real but so unbelievable. Malware spreading, cyberthreat", "modified": "2024-03-13T00:02:54.335000", "created": "2024-02-12T01:01:44.323000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 194, "FileHash-SHA1": 191, "FileHash-SHA256": 2376, "domain": 1414, "URL": 4388, "hostname": 1699, "CVE": 4, "email": 5 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "accessprivatecloud.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "accessprivatecloud.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776689078.9384975 }