{ "type": "Domain", "indicator": "alertcleaning.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/alertcleaning.com", "alexa": "http://www.alexa.com/siteinfo/alertcleaning.com", "indicator": "alertcleaning.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3894547730, "indicator": "alertcleaning.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "695c8007f67e8b9a6bb276c5", "name": "export_USERS 1-14000 / 157705", "description": "UAlberta Azure/Entra (partial)\nRelated to Pulse 'Ghosts' [ loads into system files ]", "modified": "2026-02-05T03:05:05.683000", "created": "2026-01-06T03:22:47.101000", "tags": [ "true", "member", "guest", "invitation", "emailverified", "notadult", "zhang", "nguyen", "smith", "andison", "wang", "yang", "king", "pandit", "martin", "hong", "murray", "davis", "perez", "kremp", "walker", "rush", "ding", "cheng", "jarvis", "casey", "blank", "jason", "hope", "shang", "lambert", "hare", "hustler", "nichols", "james", "wong", "patel", "grewal", "rana", "jaber", "david", "hawkshaw", "jackson", "hunter", "horn", "modi", "baixue", "chen", "reid", "mendoza", "bone", "dada", "stepan", "fisher", "roma", "barry", "moran", "goodwin", "tack", "baran", "donald", "pedro", "green", "dennis", "stop", "kaneria", "duke", "goli", "bach", "hwang", "hill", "mark", "victor", "pino", "little", "misa", "gloria", "mesina", "matta", "shen", "splinter", "sohana", "alex", "jean", "madro", "coco", "zhao", "support", "lynda", "daniel", "info", "brick", "wagner", "stark", "starr", "dorn", "repka", "heck", "park", "tang", "multiple1162021", "alexander", "gibbon", "calgary", "matthew", "bian", "shah", "johnson", "delfs", "morrison", "flood", "black", "valencia", "bredo", "singh", "chan", "ahmed", "salm", "faisal", "agena", "bella", "crow", "yurkiw", "xgygy0094", "huang", "trinity", "aris", "alisa", "cardinal", "wolf", "corona", "abbas", "rasim", "asher", "motil", "xena", "hammer", "hack", "chin", "odysseus", "otto", "jain", "joshi", "hole", "daum", "stack", "murphy", "leon", "meadwell", "owumi", "royce", "luna", "eddie", "stone", "stang", "code", "paradis", "zhen", "sood", "pepper", "mill", "cassidy", "blade", "minimo", "sweet", "toal" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "domain": 243, "email": 14365, "hostname": 104 }, "indicator_count": 14717, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dee127b7545e7fa66145fc", "name": "08.31.23 - WTH UA - azure settings.json by jwanihad - updated - 09.23.25", "description": "VirusTotal Graph (miniuser, 2025)", "modified": "2025-11-01T20:03:51.273000", "created": "2025-10-02T20:31:35.532000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/g6e7ccf47fdd04a7487e54d1c35142f4cb0280a685f78403ca3aa49cfaeb91e97?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 194, "URL": 43, "domain": 15, "hostname": 36 }, "indicator_count": 448, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d2f9ba2e1a07b28f3704bb", "name": "08.31.23 - WTH UA - azure settings.json by jwanihad - updated - 09.23.25", "description": "This collection is based off a graph created by miniuser (2025) based on several samples I provided to the OG creator & Cybersecurity Expert. \n\nRelated to Pulse: 'Ghost' in LevelBlueCyber OTX 2096\n\nRelated to 1-2+ Azure/Entra Tenants", "modified": "2025-10-23T19:04:11.359000", "created": "2025-09-23T19:49:14.398000", "tags": [ "entity", "please", "javascript" ], "references": [ "https://www.virustotal.com/graph/embed/g6e7ccf47fdd04a7487e54d1c35142f4cb0280a685f78403ca3aa49cfaeb91e97?theme=dark", "https://www.virustotal.com/gui/collection/0f562e5b2effefec9eaa30f081ec027330fcccdca4e399bcc29c802d9731d286/summary", "https://tria.ge/250729-wr59yabk7y" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 194, "URL": 43, "domain": 15, "hostname": 36 }, "indicator_count": 448, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "222 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b3f45db593591b6841a70e", "name": "08.31.23 - WTH UA - azure settings.json by jwanihad - 07.10.25", "description": "vT Graph (miniuser, 07.10.25)", "modified": "2025-09-30T07:04:59.685000", "created": "2025-08-31T07:06:05.296000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/g6e7ccf47fdd04a7487e54d1c35142f4cb0280a685f78403ca3aa49cfaeb91e97?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 194, "URL": 43, "domain": 15, "hostname": 36 }, "indicator_count": 448, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://www.virustotal.com/graph/embed/g6e7ccf47fdd04a7487e54d1c35142f4cb0280a685f78403ca3aa49cfaeb91e97?theme=dark", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "All - EnterpriseAppsList.csv", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/250729-wr59yabk7y", "Thor Scan: S-I9VvMTB6cZU", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://urlscan.io/search/#ualberta.ca", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://tria.ge/240517-t9pc2ahb2t", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "AppRegistrationList.csv", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://www.virustotal.com/gui/collection/0f562e5b2effefec9eaa30f081ec027330fcccdca4e399bcc29c802d9731d286/summary" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Healthcare", "Telecommunications", "Government", "Education", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "695c8007f67e8b9a6bb276c5", "name": "export_USERS 1-14000 / 157705", "description": "UAlberta Azure/Entra (partial)\nRelated to Pulse 'Ghosts' [ loads into system files ]", "modified": "2026-02-05T03:05:05.683000", "created": "2026-01-06T03:22:47.101000", "tags": [ "true", "member", "guest", "invitation", "emailverified", "notadult", "zhang", "nguyen", "smith", "andison", "wang", "yang", "king", "pandit", "martin", "hong", "murray", "davis", "perez", "kremp", "walker", "rush", "ding", "cheng", "jarvis", "casey", "blank", "jason", "hope", "shang", "lambert", "hare", "hustler", "nichols", "james", "wong", "patel", "grewal", "rana", "jaber", "david", "hawkshaw", "jackson", "hunter", "horn", "modi", "baixue", "chen", "reid", "mendoza", "bone", "dada", "stepan", "fisher", "roma", "barry", "moran", "goodwin", "tack", "baran", "donald", "pedro", "green", "dennis", "stop", "kaneria", "duke", "goli", "bach", "hwang", "hill", "mark", "victor", "pino", "little", "misa", "gloria", "mesina", "matta", "shen", "splinter", "sohana", "alex", "jean", "madro", "coco", "zhao", "support", "lynda", "daniel", "info", "brick", "wagner", "stark", "starr", "dorn", "repka", "heck", "park", "tang", "multiple1162021", "alexander", "gibbon", "calgary", "matthew", "bian", "shah", "johnson", "delfs", "morrison", "flood", "black", "valencia", "bredo", "singh", "chan", "ahmed", "salm", "faisal", "agena", "bella", "crow", "yurkiw", "xgygy0094", "huang", "trinity", "aris", "alisa", "cardinal", "wolf", "corona", "abbas", "rasim", "asher", "motil", "xena", "hammer", "hack", "chin", "odysseus", "otto", "jain", "joshi", "hole", "daum", "stack", "murphy", "leon", "meadwell", "owumi", "royce", "luna", "eddie", "stone", "stang", "code", "paradis", "zhen", "sood", "pepper", "mill", "cassidy", "blade", "minimo", "sweet", "toal" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "domain": 243, "email": 14365, "hostname": 104 }, "indicator_count": 14717, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dee127b7545e7fa66145fc", "name": "08.31.23 - WTH UA - azure settings.json by jwanihad - updated - 09.23.25", "description": "VirusTotal Graph (miniuser, 2025)", "modified": "2025-11-01T20:03:51.273000", "created": "2025-10-02T20:31:35.532000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/g6e7ccf47fdd04a7487e54d1c35142f4cb0280a685f78403ca3aa49cfaeb91e97?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 194, "URL": 43, "domain": 15, "hostname": 36 }, "indicator_count": 448, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d2f9ba2e1a07b28f3704bb", "name": "08.31.23 - WTH UA - azure settings.json by jwanihad - updated - 09.23.25", "description": "This collection is based off a graph created by miniuser (2025) based on several samples I provided to the OG creator & Cybersecurity Expert. \n\nRelated to Pulse: 'Ghost' in LevelBlueCyber OTX 2096\n\nRelated to 1-2+ Azure/Entra Tenants", "modified": "2025-10-23T19:04:11.359000", "created": "2025-09-23T19:49:14.398000", "tags": [ "entity", "please", "javascript" ], "references": [ "https://www.virustotal.com/graph/embed/g6e7ccf47fdd04a7487e54d1c35142f4cb0280a685f78403ca3aa49cfaeb91e97?theme=dark", "https://www.virustotal.com/gui/collection/0f562e5b2effefec9eaa30f081ec027330fcccdca4e399bcc29c802d9731d286/summary", "https://tria.ge/250729-wr59yabk7y" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 194, "URL": 43, "domain": 15, "hostname": 36 }, "indicator_count": 448, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "222 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b3f45db593591b6841a70e", "name": "08.31.23 - WTH UA - azure settings.json by jwanihad - 07.10.25", "description": "vT Graph (miniuser, 07.10.25)", "modified": "2025-09-30T07:04:59.685000", "created": "2025-08-31T07:06:05.296000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/g6e7ccf47fdd04a7487e54d1c35142f4cb0280a685f78403ca3aa49cfaeb91e97?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 194, "URL": 43, "domain": 15, "hostname": 36 }, "indicator_count": 448, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "alertcleaning.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "alertcleaning.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780475353.7293808 }