{
"type": "Domain",
"indicator": "anderscloud.eus",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/anderscloud.eus",
"alexa": "http://www.alexa.com/siteinfo/anderscloud.eus",
"indicator": "anderscloud.eus",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 4117566530,
"indicator": "anderscloud.eus",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 26,
"pulses": [
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-04-14T07:22:45.250000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"IPv4": 35,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69dc04c12782d2d76c111a93",
"name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked",
"description": "",
"modified": "2026-04-12T20:46:57.338000",
"created": "2026-04-12T20:46:57.338000",
"tags": [
"indicator role",
"active related",
"ck ids",
"files",
"information",
"discovery",
"mitre att",
"pattern match",
"ck id",
"ck matrix",
"ascii text",
"united",
"binary file",
"april",
"hybrid",
"apikey",
"general",
"local",
"path",
"iframe",
"click",
"protocol",
"learn",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"related pulses",
"dll read",
"function read",
"icmp traffic",
"machineguid",
"systembiosdate",
"total",
"read",
"write",
"network_icmp",
"js_eval",
"recon_fingerprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"tls handshake",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"neue",
"certificate",
"error",
"scans show",
"record value",
"title site",
"servers",
"emails",
"all hostname",
"dnsadmin",
"data upload",
"extraction",
"failed",
"include review",
"exclude sugges",
"find s",
"typ no",
"active",
"urls",
"ip address",
"asn as54113",
"registrar",
"wscript",
"united states",
"stcalifornia",
"lmountain view",
"ogoogle llc",
"ogoogle trust",
"cngts ca",
"whitelisted",
"as15169",
"hostile",
"crash",
"contacted",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections alf",
"hostile yara",
"detections none",
"less ip",
"domains",
"ms windows",
"intel",
"pe32",
"regsetvalueexa",
"langturkish",
"sublangdefault",
"port",
"destination",
"entries",
"worm",
"delphi",
"win32",
"body",
"explorer",
"defender",
"regdword",
"false",
"true",
"end sub",
"object",
"createobject",
"sheetschanged",
"private sub",
"string",
"boolean",
"cancel",
"trojan",
"copy",
"query",
"dns update",
"useragent",
"myapp",
"delphi alerts",
"alerts deadhost",
"women who code",
"tulach",
"114.114.114.114",
"samuel",
"brian sabey"
],
"references": [
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"this.target",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"authrootstl.cab common file extension",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"https://securityaffairs.com/144927/cyber-crime~#",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"https://clockoutbox.es/password",
"http://cr-malware.testpanw.com/url",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"114.114.114.114 = Tulach"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:Trojan:Win64/PsBanker",
"display_name": "ALF:Trojan:Win64/PsBanker",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Trojan:O97M/Madeba.A!det",
"display_name": "Trojan:O97M/Madeba.A!det",
"target": "/malware/Trojan:O97M/Madeba.A!det"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1114,
"hostname": 594,
"domain": 200,
"FileHash-SHA256": 2379,
"FileHash-MD5": 426,
"FileHash-SHA1": 259,
"IPv4": 322,
"SSLCertFingerprint": 24,
"email": 2,
"IPv6": 1
},
"indicator_count": 5321,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "6 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d3843cba399db62eeae702",
"name": "CAPE Sandbox - Stalking",
"description": "A full report on the latest Android operating system: PK.3.4.5.1 (c) on 1 January, 2026, to be published by the Google Research Institute (GRI).",
"modified": "2026-04-06T10:18:23.324000",
"created": "2026-04-06T10:00:28.397000",
"tags": [
"renewed",
"8gbram",
"windows10",
"19inlcdmonitor",
"desktop pc",
"package",
"intel core",
"hard drive",
"dvdrw",
"wifi",
"title",
"blink",
"date",
"meta",
"elite",
"body",
"https",
"mitre attack",
"network info",
"tls version",
"united",
"overview",
"zenbox android",
"verdict",
"guest system",
"ultimate file",
"fraud",
"cloud",
"next",
"program",
"processes extra",
"overview zenbox",
"info file",
"file type",
"default",
"parent pid",
"full path",
"command line",
"registry keys",
"commands c",
"k dcomlaunch",
"files c",
"devicecng c",
"read registry"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/2533042959ad1fe050d14ab7536126910a2d240992bff397640382472b6a7c69_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469608&Signature=fK1I2%2FxXVm0l3ZiELwtstes8iVN402Ww%2By%2BgvxYOB0LiC2iO3J9cedWJk1hMIr4IfLSGKprfui8vANzR%2BkWfSd594S%2FFe9A59YKyOA2MFmQTBRXVy6O3xF1e1lPETp5Md%2FbGJCOzrZxdHyReyuk7cgdDDBAewptjJhfTYxql7F9X%2FB4qe9BYWPrvned2fFWfU%2F4G%2F4UBqY9Jj%2BG1CTP%2FaGqOdWFs0Q5cPYZ4bytp",
"https://vtbehaviour.commondatastorage.googleapis.com/6c39ae0368703f254070a0648c0066115140c3e762d9bf5b52833a037a1e3743_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469752&Signature=Df%2Bamm33qFPdsDg6nWC5FQjse7h4fksSXqONp4nMEItb0gpBwqx66TqcCnFzQplUk6ExMge79qNZR2OElv63sX54D4fSGwI9nvHYhQoiVdZIgf4ct8dIAr%2BYO9jSx0WpPUVFsvf%2FXtXvm6jM5n5v7CGiyFRyAz8PES5g%2FcOlLt%2BDhsc8bhi%2FMU9mAkyyr5nFVPcTmUSHOTNXOeKDUlyRkQE6b9FEbFhUL1h3%2B%2FBVtysh",
"https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469810&Signature=Mj5ODxCW7tD5UNn6P11Ta7F2cmDLSJuEB7JSLFg%2FERfANmnRR5L7XzDwXxI5G48vkQFx0%2FBMtjMLwWHn6ZHKlt13rfzkvoOu5fJ%2Fb5lMJqUp1rSQIG0JLL80QAnXyJf2W8pL7MvK97Tr4jsCIUfd8ezliJtV5SmahV6Q8lYu2KJUnANrHkA10RFrcT4O26Vk7gbDsuC7caDXC6U9KXTTB0cpC77%2FV7w86ftN2JPXx6oEHUvSj02qsvhKwKQvmM",
"https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469831&Signature=ZlRZLvCaJ%2F9niupu9DFCvXvfgFpDEOsK%2FsH46CB2zEVUDjcQRNMDp9XXKKx0dekmHQbhl02yqygHPOA8Wty5duGtK216QCvKNkYpbpdOjN7xgAg3AsldciWbqeJr8N4I%2F1%2FPRSdVfB%2BNGaBJKxZG1RQkX206MSvX%2BeY%2FdeEYpq3NYdrPWlxdV0pa3yaqcMrf2s%2FCFSM%2FdO3xt5PKyXWG%2FDCNM5iiuXh8OT2ckhZhf%"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1409",
"name": "Access Stored Application Data",
"display_name": "T1409 - Access Stored Application Data"
},
{
"id": "T1421",
"name": "System Network Connections Discovery",
"display_name": "T1421 - System Network Connections Discovery"
},
{
"id": "T1422",
"name": "System Network Configuration Discovery",
"display_name": "T1422 - System Network Configuration Discovery"
},
{
"id": "T1426",
"name": "System Information Discovery",
"display_name": "T1426 - System Information Discovery"
},
{
"id": "T1430",
"name": "Location Tracking",
"display_name": "T1430 - Location Tracking"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 182,
"FileHash-MD5": 781,
"FileHash-SHA1": 509,
"FileHash-SHA256": 539,
"URL": 387,
"hostname": 361,
"domain": 100,
"CIDR": 1,
"email": 1
},
"indicator_count": 2861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a1a73eb0578b92962dae97",
"name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?",
"description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit",
"modified": "2026-03-29T13:04:34.750000",
"created": "2026-02-27T14:16:30.498000",
"tags": [
"regopenkeyexw",
"port",
"destination",
"cryptexportkey",
"search",
"show",
"entries",
"windows nt",
"regsetvalueexa",
"ip address",
"malware",
"copy",
"write",
"win32",
"next",
"format",
"contacted",
"less ip",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"date",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"february",
"failed",
"enter",
"data upload",
"passive dns",
"urls",
"aaaa",
"certificate",
"otx logo",
"all hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"title",
"body",
"encrypt",
"netherlands",
"gmt content",
"all ipv4",
"amsterdam",
"hetzner online",
"gmbh",
"summary",
"url age",
"de seen",
"general info",
"geo germany",
"as as24940",
"de note",
"route",
"direct",
"pro platform",
"logs",
"suricata alert",
"et info",
"tls handshake",
"bad traffic",
"suricata alerts",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"size",
"sha256",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"path",
"unknown",
"stop",
"root",
"hybrid",
"general",
"local",
"form",
"click",
"strings",
"9999",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"command",
"defense evasion",
"spawns",
"found",
"show technique",
"ck matrix",
"href",
"antivirus",
"maktub locker",
"tor status",
"check"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1129,
"domain": 148,
"hostname": 753,
"FileHash-SHA256": 548,
"FileHash-MD5": 90,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 8,
"CIDR": 1,
"email": 4
},
"indicator_count": 2752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "20 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69c06ca9341d6c063f652e33",
"name": "ETERNALBLUE Probe MS17-010 | Wannacry Ransomware Domain - related to NSO Group Pegasus",
"description": "Quasi governmental, Healthcare Law Firms , legal entities , as well as direct safety threats such as NSO Group Pegasus, Enterprise Cellebrite (in references) and other dangerous intimidation and life endangering tactics directed against a crime victim. Continuous harassment and threats of violence against victims family including 83 yo father. Veteran & hand picked Sr Systems Analyst and Engineer for Aegis Weapon System Team of 24. You\u2019re welcome America.. Victim left zero evidence with family. Documents shredded. Data stolen by parties named. She isn\u2019t the only one. These people do this for a living. Abuse of Palantir & Foundry tools.",
"modified": "2026-03-22T22:26:49.205000",
"created": "2026-03-22T22:26:49.205000",
"tags": [
"ransomware",
"united",
"search",
"asnone",
"regsetvalueexa",
"service",
"regdword",
"medium",
"get na",
"malware",
"dock",
"push",
"write",
"win32",
"playgame",
"unknown",
"exploit",
"cve",
"wncry",
"wannacry",
"passive dns",
"urls",
"british virgin",
"all url",
"http",
"ip address",
"related nids",
"files location",
"virgin islands",
"islands",
"bgp",
"virgin islands",
"hijacked",
"data upload",
"extraction",
"failed",
"review iocs",
"include ovo",
"tovary review",
"ids detec",
"yara dete",
"trior texarag",
"drop or",
"rrowse",
"type",
"extra data",
"hurricane electric",
"p2404",
"p11629470400",
"p11629107633",
"artifacts v",
"full reports",
"v help",
"info",
"low l",
"high ta0002",
"techniques",
"t1053",
"command",
"scripting inte",
"low ta0003",
"techniques high",
"t1053 ite",
"modify system",
"pl t1543",
"boot",
"logon autostart",
"ex t1547",
"checks-disk-space",
"checks-network-adapters",
"detect-debug-environment",
"direct-cpu-clock-access",
"long-sleeps",
"runtime-modules",
"get http",
"head http",
"dns resolutions",
"ip traffic",
"53 tcp",
"tls sni",
"apple id",
"webdisk",
"expiration",
"url http",
"hostname",
"no expiration",
"iocs",
"url https",
"es included",
"win32 exe",
"pe32 executable",
"ms windows",
"intel",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1204 user",
"defense evasion",
"over",
"mitre att",
"ck matrix",
"ascii text",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"javascript",
"ssl certificate",
"encrypt",
"accept",
"russia unknown",
"meta",
"record value",
"aaaa",
"link",
"present jun",
"apple",
"remote access",
"otx logo",
"all ipv4",
"url analysis",
"files",
"accept ch",
"present dec",
"content type",
"x pcrew",
"name servers",
"present may",
"body doctype",
"title",
"all domain",
"servers",
"china unknown",
"found content",
"gmt p3p",
"cp oti",
"dsp cor",
"iva our",
"ind com",
"domain",
"cname",
"entries",
"brian sabey",
"hallrender",
"christopher ahmann",
"t1480 execution",
"discovery att",
"heur",
"virtool",
"win64",
"mtb win32",
"backdoor",
"location china",
"hangzhou",
"china asn",
"ransom",
"wannadecryptor",
"filehash",
"yara detections",
"msvisualcpp60",
"related tags",
"none file",
"type pexe",
"copy",
"beginstring",
"null",
"refresh",
"body",
"span",
"error",
"tools",
"look",
"verify",
"restart",
"expl",
"unknown cname",
"hacktool",
"domain address",
"contacted hosts",
"process details",
"flag",
"ipv4 add",
"location united",
"america flag",
"exploit",
"show",
"all filehash",
"expiration date",
"gmt location",
"gmt max",
"domain add",
"elite",
"date",
"cowboy",
"United States",
"present feb",
"present oct",
"creation date",
"present nov",
"moved",
"emails"
],
"references": [
"http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/",
"Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS",
"IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden",
"Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor",
"Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx",
"Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad",
"Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file",
"Alerts: creates_service stealth_window antivm_network_adapters checks_debugger",
"Alerts: peid_packer pe_unknown_resource_name",
"IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122",
"IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com",
"Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com",
"FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7",
"Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)",
"Crowdsourced IDS: Matches rule MALWARE-CNC DNS",
"Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)",
"Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP",
"apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn",
"apple.com-verify.account.manage.test2.aptaforum.com.cn",
"appleid.apple.com-signin-8491e.test2.aptaforum.com.cn",
"appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn",
"web-secure-appleid-login.com.test2.aptaforum.com.cn",
"http://apple.com-verify.account.manage.test2.aptaforum.com.cn/",
"http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/",
"http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/",
"findmy.apple-uk.live",
"apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/",
"http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/",
"http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/",
"http://web-secure-appleid-login.com.test2.aptaforum.com.cn/",
"Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc",
"VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc",
"https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc",
"https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39",
"KeenDNS | keendnsaclremote805717135272048.qeenetic.link",
"https://fonts.googleapis.com/css",
"http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/",
"Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless",
"www.remoteaccess.allied-media.com",
"apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn",
"aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd",
"Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com",
"*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok",
"dns17.hichina.com",
"dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)",
"Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.",
"https://otx.alienvault.com/indicator/domain/qeenetic.link",
"okg.and.googletagmanagers.com",
"pcy.and.googletagmanagers.com",
"pgj.and.googletagmanagers.com",
"prb.and.googletagmanagers.com",
"lkp.and.googletagmanagers.com",
"jgw.and.googletagmanagers.com",
"bzx.and.googletagmanagers.com",
"msedge.b.tlu.dl.delivery.mp.microsoft.com",
"http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/",
"HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related",
"TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render",
"https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699",
"https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c",
"https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38",
"(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html",
"https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c",
"https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Win.Ransomware.WannaCry-6313787-0",
"display_name": "Win.Ransomware.WannaCry-6313787-0",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147.A",
"display_name": "Exploit:Win32/CVE-2017-0147.A",
"target": "/malware/Exploit:Win32/CVE-2017-0147.A"
},
{
"id": "Trojan/JS.Redirector.QNO",
"display_name": "Trojan/JS.Redirector.QNO",
"target": null
},
{
"id": "Win.Trojan.Application-1955.",
"display_name": "Win.Trojan.Application-1955.",
"target": null
},
{
"id": "Win32:Banker-LAA\\ [Trj]",
"display_name": "Win32:Banker-LAA\\ [Trj]",
"target": null
},
{
"id": "Win.Malware.Snojan-6775202-0",
"display_name": "Win.Malware.Snojan-6775202-0",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Trj]",
"display_name": "Win32:Evo-gen\\ [Trj]",
"target": null
},
{
"id": "Win64:Expiro-AJ\\ [Inf]",
"display_name": "Win64:Expiro-AJ\\ [Inf]",
"target": null
},
{
"id": "Win.Trojan.Fugrafa-9733007-0",
"display_name": "Win.Trojan.Fugrafa-9733007-0",
"target": null
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6989114-0",
"display_name": "Win.Trojan.VBGeneric-6989114-0",
"target": null
},
{
"id": "VirTool:Win32/VBInject.YA!MTB",
"display_name": "VirTool:Win32/VBInject.YA!MTB",
"target": "/malware/VirTool:Win32/VBInject.YA!MTB"
},
{
"id": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]",
"display_name": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator",
"display_name": "#VirTool:Win32/Obfuscator",
"target": "/malware/#VirTool:Win32/Obfuscator"
},
{
"id": "Backdoor:Win32/Small.IR",
"display_name": "Backdoor:Win32/Small.IR",
"target": "/malware/Backdoor:Win32/Small.IR"
},
{
"id": "Win64:Expiro-AJ\\ [Inf]",
"display_name": "Win64:Expiro-AJ\\ [Inf]",
"target": null
},
{
"id": "Win32:Dh-A\\",
"display_name": "Win32:Dh-A\\",
"target": null
},
{
"id": "CVE-2017-0147",
"display_name": "CVE-2017-0147",
"target": null
},
{
"id": "Ransom:Win32/CVE-2017-0147.A",
"display_name": "Ransom:Win32/CVE-2017-0147.A",
"target": "/malware/Ransom:Win32/CVE-2017-0147.A"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win.Malware.Flystudio-6738927-0",
"display_name": "Win.Malware.Flystudio-6738927-0",
"target": null
},
{
"id": "ALF:SpikeAexR.PEVPOPC",
"display_name": "ALF:SpikeAexR.PEVPOPC",
"target": null
},
{
"id": "Sf:WNCryLdr-A\\ [Trj]",
"display_name": "Sf:WNCryLdr-A\\ [Trj]",
"target": null
},
{
"id": "Win.Ransomware.WannaCry-6313787-0",
"display_name": "Win.Ransomware.WannaCry-6313787-0",
"target": null
},
{
"id": "ransom:Win32/WannaCrypt.H",
"display_name": "ransom:Win32/WannaCrypt.H",
"target": "/malware/ransom:Win32/WannaCrypt.H"
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1198",
"name": "SIP and Trust Provider Hijacking",
"display_name": "T1198 - SIP and Trust Provider Hijacking"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1543.001",
"name": "Launch Agent",
"display_name": "T1543.001 - Launch Agent"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
}
],
"industries": [
"Government",
"Legal",
"Technology",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3779,
"FileHash-MD5": 422,
"FileHash-SHA1": 411,
"FileHash-SHA256": 1824,
"IPv4": 666,
"domain": 979,
"hostname": 2082,
"CVE": 1,
"BitcoinAddress": 3,
"SSLCertFingerprint": 6,
"email": 8
},
"indicator_count": 10181,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "27 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b7cb05b2098c1d2bf20f",
"name": "federal goverment clone cellbrite credit q vashti",
"description": "",
"modified": "2026-03-12T12:55:39.046000",
"created": "2026-03-12T12:55:39.046000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": "696f7d467763ed4d4e74d133",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "37 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "697cdce9ec418c422eee2054",
"name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019",
"description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.",
"modified": "2026-03-01T16:05:57.375000",
"created": "2026-01-30T16:31:37.011000",
"tags": [
"url https",
"url http",
"tlsv1",
"whitelisted",
"united",
"read c",
"as15169",
"stcalifornia",
"execution",
"dock",
"write",
"persistence",
"malware",
"encrypt",
"active",
"lumen technologies",
"number",
"error",
"regexp",
"sxa0",
"amptoken",
"optout",
"retrieving",
"notfound",
"unknown",
"form",
"flash",
"backdoor",
"writeconsolew",
"yara detections",
"command line",
"pdb path",
"pe resource",
"internalname",
"windows command",
"A",
"aws",
"name servers",
"url analysis",
"passive dns",
"urls",
"data upload",
"extraction",
"palantir",
"c2",
"aerospace",
"tracking",
"spywatchdog",
"palapa-c2",
"communications satellite",
"amazon",
"hughesnet",
"icmp traffic",
"washington c",
"washington ou",
"mopr",
"mon jul",
"local",
"dynamic",
"apple",
"network",
"t1057",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1480",
"guardrails",
"t1566",
"present jan",
"unknown ns",
"ip address",
"dnssec",
"domain",
"dynamic dns",
"government",
"pcup",
"germany unknown",
"link",
"dns hosting",
"cloudns",
"cloud dns",
"a domains",
"ipv4 add",
"title",
"meta",
"class",
"servers",
"present aug",
"aaaa",
"present sep",
"present nov",
"present jul",
"present may",
"moved",
"canada unknown",
"begin",
"record value",
"gmt content",
"type",
"hostname add",
"files",
"ascii text",
"pattern match",
"href",
"mitre att",
"ck id",
"ck matrix",
"network traffic",
"et info",
"general",
"path",
"click",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"adversaries",
"input url",
"defense evasion",
"france",
"ireland",
"netherlands",
"denmark",
"united kingdom",
"type indicator",
"role title",
"added active",
"savvis",
"centurylinktechnology",
"hybrid analysis",
"monitoring tools",
"monitored target",
"triangulation",
"worm",
"intel",
"ms windows",
"pe32",
"write c",
"delete c",
"show",
"russia as47764",
"unix",
"lsan jose",
"odigicert inc",
"markus",
"url add",
"http",
"related nids",
"files location",
"russia flag",
"russia hostname",
"russia",
"russia unknown",
"hosting",
"federation flag",
"body",
"gmt vary",
"accept encoding",
"gmt cache",
"certificate",
"pulse submit",
"unknown aaaa",
"search",
"entries",
"script domains",
"script urls",
"pdx cf"
],
"references": [
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"Yare: compromised_site_redirector_fromcharcode",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"Tipped: A targets AI and other cyber research findings.",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"https://palapa.c.id\t (c.id)",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"cedevice.io \u2022 decagonsoftware.com",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"pcup.gov.ph:",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"https://elegantcosmedampyeah.pages.dev/",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"inst.govelopscold.com",
"https://feedback.ptv.vic.gov.au/360",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"https://brand.centurylinktechnology.com",
"https://prod.centurylinktechnology.com",
"https://brand2.centurylinktechnology.com",
"https://mobile-pocket-guide.centurylinktechnology.com",
"UPX_OEP_place",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"ASP. NET",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"7box.vip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan.Tofsee/Botx",
"display_name": "Trojan.Tofsee/Botx",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "PWS:Win32/Axespec.A",
"display_name": "PWS:Win32/Axespec.A",
"target": "/malware/PWS:Win32/Axespec.A"
},
{
"id": "Worm:Win32/Lightmoon.H",
"display_name": "Worm:Win32/Lightmoon.H",
"target": "/malware/Worm:Win32/Lightmoon.H"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1439",
"name": "Eavesdrop on Insecure Network Communication",
"display_name": "T1439 - Eavesdrop on Insecure Network Communication"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1069.003",
"name": "Cloud Groups",
"display_name": "T1069.003 - Cloud Groups"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 102,
"FileHash-SHA1": 59,
"FileHash-SHA256": 1929,
"domain": 854,
"hostname": 2156,
"URL": 4475,
"SSLCertFingerprint": 9,
"email": 7,
"CVE": 1
},
"indicator_count": 9592,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "48 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696f7d467763ed4d4e74d133",
"name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login",
"description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.",
"modified": "2026-02-19T12:05:47.166000",
"created": "2026-01-20T13:04:06.622000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "58 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69640c0afc9805a6fa2da07b",
"name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]",
"description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai",
"modified": "2026-02-10T20:03:47.214000",
"created": "2026-01-11T20:46:02.176000",
"tags": [
"lark kdence",
"zack dare",
"zafira",
"jon bonus",
"andy flebbe",
"div div",
"present nov",
"a domains",
"united",
"script urls",
"div a",
"script domains",
"discover",
"moved",
"insert",
"x0 tw",
"urls",
"cloudfront x",
"title error",
"url analysis",
"reverse dns",
"servers",
"name servers",
"united states",
"all ipv4",
"aaaa",
"ip address",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"evasion att",
"t1480 execution",
"ascii text",
"mitre att",
"pattern match",
"null",
"error",
"click",
"hybrid",
"general",
"local",
"path",
"starfield",
"strings",
"refresh",
"tools",
"meta",
"onload",
"span",
"data upload",
"extraction",
"type",
"extra",
"referen https",
"include review",
"exclude sugges",
"stop",
"aivoes typ",
"passive dns",
"date",
"united states",
"status",
"domain add",
"files",
"hostname",
"read c",
"medium",
"search",
"show",
"memcommit",
"high",
"checks",
"windows",
"delete",
"execution",
"dock",
"write",
"persistence",
"capture",
"next",
"amazon02",
"as autonomous",
"system",
"asn16509",
"domain",
"current dns",
"a record",
"as16509",
"december",
"ip information",
"ipasns ip",
"google",
"fastly",
"googlecl",
"akamaias",
"cloudflar",
"domain tree",
"links ip",
"address as",
"cisco",
"umbrella rank",
"general full",
"url https",
"software",
"resource hash",
"protocol h2",
"security tls",
"hostname add",
"challengescript",
"captchascript",
"name",
"value",
"source level",
"url text",
"automatic",
"webgl",
"please",
"extr data",
"data",
"size",
"title",
"yara detections",
"filehash",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"entries",
"rgba",
"unicode",
"asnone",
"malware",
"port",
"destination",
"tlsv1",
"tls handshake",
"failure",
"roboto",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"expiration",
"url http",
"no expiration",
"present jan",
"unknown ns",
"certificate",
"body",
"present oct",
"present may",
"present dec",
"present sep",
"present feb",
"showing",
"next associated",
"all se",
"pulse pulses",
"http",
"files domain",
"files related",
"pulses none",
"debiak",
"tsara brashears",
"ai",
"palantir",
"muso ai",
"sort",
"artists",
"royalties",
"music",
"songwriter",
"collect",
"view",
"malicious app",
"false claims"
],
"references": [
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"22.hio52.r.cloudfront.net",
"us-gov-west-1.gov.reveal-global.com",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"campdeadwood2026.com",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"Pornhub to your phone. Dumping or by request?",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"www.killer333.club So I\u2019m right."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Incredimail-6804483-0",
"display_name": "Win.Malware.Incredimail-6804483-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "TA0028",
"name": "Persistence",
"display_name": "TA0028 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10686,
"hostname": 2427,
"domain": 1094,
"FileHash-MD5": 175,
"FileHash-SHA1": 65,
"FileHash-SHA256": 1118,
"email": 4,
"SSLCertFingerprint": 14
},
"indicator_count": 15583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6961a8ed7b492f9e0ba38990",
"name": "HeartSender.A and other Malware attacks originating from Palantirs Pahamify Pegasus",
"description": "Pahamify Pegasus : HackTool \u2022 Speedcat \u2022 HeartSender.A \u2022 Zbot and other malware found.\nSearc begins with single FileHash referenced below. \nI\u2019m checking the processes and sharing it here one group at a time. Too much research at once could bring Amazon AWS down. Again.",
"modified": "2026-02-09T00:04:37.974000",
"created": "2026-01-10T01:18:36.999000",
"tags": [
"read c",
"write c",
"port",
"destination",
"united",
"medium",
"as16509",
"memcommit",
"write",
"execution",
"dock",
"persistence",
"next executed",
"commands graph",
"tree",
"sample hash",
"passive dns",
"present jan",
"title error",
"urls",
"files",
"date hash",
"avast avg",
"dynamicloader",
"host",
"utf8",
"unicode text",
"crlf line",
"binary resource",
"ms windows",
"search",
"intel",
"pcspeedcat",
"win32",
"internal",
"malware",
"local",
"unknown",
"get na",
"http",
"okrnserver",
"ip address",
"http traffic",
"guard",
"powershell",
"ipv4 add",
"servers",
"name servers",
"capture",
"link",
"gateway",
"tofsee att",
"ck ids",
"t1055",
"injection",
"t1071",
"protocol",
"t1573",
"target",
"url http",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"discovery att",
"mitre att",
"ck matrix",
"ascii text",
"hybrid",
"general",
"path",
"click",
"strings",
"high",
"etpro malware",
"next",
"stack",
"format",
"error",
"unicode",
"head http",
"regsetvalueexa",
"qt binary",
"resource file",
"pe32",
"hostile",
"unknown aaaa",
"unknown ns",
"x content",
"gmt cache",
"domain add",
"title",
"present sep",
"a td",
"td tr",
"dir td",
"td td",
"present may",
"present jun",
"present apr",
"present aug",
"present oct",
"head body",
"gmt server",
"index",
"main",
"accept",
"status",
"th tr",
"moved",
"record value",
"expiration date",
"germany unknown",
"present dec",
"cache control",
"present nov",
"max age1000000",
"cookie",
"hosting",
"reverse dns",
"location france",
"france asn",
"as16276",
"trojandropper",
"next associated",
"mtb jan",
"exploit",
"emails",
"trojan",
"pegasus",
"hostname add",
"url analysis",
"domain",
"files ip",
"address",
"france unknown",
"asn as16276",
"backdoor",
"entries",
"setcookie",
"twitter",
"refloadapihash",
"virtool",
"show",
"displayname",
"windows",
"rndhex",
"tofsee",
"stream",
"encrypt",
"push",
"creation date",
"france",
"date",
"body",
"pup",
"amazon",
"amazon aws",
"salesforce",
"herokuappdev",
"google",
"igoogle",
"monitored target",
"cats"
],
"references": [
"FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee",
"https://otx.alienvault.com/indicator/ip/3.163.24.10",
"External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.",
"External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone",
"https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com",
"https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/",
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com",
"Malicious Application Development: herokuappdev.com (Patter match 8 years +)",
"direwolf-8b1a1bc476.staging.herokuappdev.com",
"Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Generic-9871124-0",
"display_name": "Win.Malware.Generic-9871124-0",
"target": null
},
{
"id": "ALF:HackTool:MSIL/HeartSender.A",
"display_name": "ALF:HackTool:MSIL/HeartSender.A",
"target": null
},
{
"id": "Win.Malware.Speedcat-6957425",
"display_name": "Win.Malware.Speedcat-6957425",
"target": null
},
{
"id": "Tofsee Attack",
"display_name": "Tofsee Attack",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
}
],
"industries": [
"Civil Society",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 404,
"FileHash-SHA1": 286,
"FileHash-SHA256": 1419,
"SSLCertFingerprint": 7,
"domain": 441,
"URL": 4233,
"hostname": 1217,
"email": 10
},
"indicator_count": 8017,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6958780c8479a9d69920c3d8",
"name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack",
"description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.",
"modified": "2026-02-02T01:02:46.327000",
"created": "2026-01-03T01:59:40.530000",
"tags": [
"united",
"moved",
"title",
"passive dns",
"ipv4 add",
"urls",
"files",
"hosting",
"reverse dns",
"location united",
"hash avast",
"avg clamav",
"msdefender mar",
"read c",
"create c",
"medium",
"search",
"memcommit",
"high",
"checks",
"windows",
"execution",
"dock",
"write",
"persistence",
"capture",
"local",
"ref b",
"wed may",
"backdoor",
"mtb aug",
"next associated",
"mtb dec",
"twitter",
"smoke loader",
"malware",
"virtool",
"hacktool",
"data upload",
"present dec",
"mtb apr",
"win32",
"trojan",
"worm",
"lowfi",
"cybota",
"expiration date",
"name servers",
"ipv4",
"url analysis",
"port",
"destination",
"telnet login",
"bad login",
"gpl telnet",
"suspicious path",
"busybox",
"tcp syn",
"et telnet",
"path",
"mirai",
"filehash",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"america",
"ck id",
"name tactics",
"suspicious",
"informative",
"learn",
"t1179 hooking",
"installs",
"t1035 service",
"adversaries",
"msie",
"windows nt",
"slcc2",
"media center",
"y013",
"flag",
"span",
"accept",
"core",
"february",
"hybrid",
"malicious",
"general",
"click",
"strings",
"roboto",
"next",
"usa windows",
"finished",
"queueprogress",
"timestamp input",
"threat level",
"october",
"september",
"hwp support",
"fresh",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"programfiles",
"comspec",
"model",
"iframe",
"form",
"listeners",
"initial access",
"t1590 gather",
"victim network",
"ssl certificate",
"quasi government",
"jeffrey reimer",
"palantir",
"Regis university",
"otx hp",
"apple",
"pegasus",
"h5 data center",
"florence colorado",
"brian sabey",
"target : Tsara Brasheaers",
"aig",
"industry and commerce",
"united states",
"State of Colorado.",
"date",
"status",
"domain",
"hostname add",
"pulse pulses",
"files ip",
"address",
"url https",
"url http",
"hostname",
"show",
"type indicator",
"source hostname",
"entries",
"Prometheus Intelligence Technology",
"pulse submit",
"america flag",
"body",
"dynamicloader",
"microsoft azure",
"tls issuing",
"named pipe",
"json",
"ascii text",
"lredmond",
"Apple",
"Telnet",
"BusyBox",
"Pegasus",
"Colorado State Fixer: Christopher P. Ahmann",
"Hijacker: Brian Sabey",
"For: Concentra",
"Protecting Assaulter: Jeffrey Reimer",
"For: AIG",
"For Industry and Commerce",
"For: Quasi Government",
"For: Workers Compensation",
"Authorities",
"Law Enforcement Dark",
"Silencing",
"Tampering with a Victim",
"Meta",
"Palantir",
"Google",
"Bing",
"Microsoft",
"ColoCrossing",
"Associates",
"hit men"
],
"references": [
"ET Telnet | https://www.colocrossing.com | velocity servers",
"https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives",
"TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host",
"Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)",
"(legitimate services will remain up-and-running usually) High | ID dead_host",
"ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0",
"IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login",
"Yara Detections is__elf",
"Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Yara Detections is__elf , ELFHighEntropy , elf_empty_sections",
"http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/",
"https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l",
"https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!",
"https://www.colocrossing.com/",
"(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.",
"In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov",
"104.21.51.140, 172.67.181.41",
"Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot",
"stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe",
"Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download",
"Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration",
"IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192",
"IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82",
"Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com",
"This is hard to comprehend or put into indelible words."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "HackTool:MSIL/Boilod.C!bit",
"display_name": "HackTool:MSIL/Boilod.C!bit",
"target": "/malware/HackTool:MSIL/Boilod.C!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1204.002",
"name": "Malicious File",
"display_name": "T1204.002 - Malicious File"
},
{
"id": "T1462",
"name": "Malicious Software Development Tools",
"display_name": "T1462 - Malicious Software Development Tools"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Technology",
"Healthcare",
"Insurance",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6390,
"domain": 723,
"hostname": 1978,
"FileHash-SHA256": 1912,
"FileHash-MD5": 410,
"FileHash-SHA1": 306,
"email": 3,
"SSLCertFingerprint": 28,
"CVE": 3
},
"indicator_count": 11753,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "76 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "693f3ef3b05672ba47b903e3",
"name": "Create Amazing Password Forms - Project Cicada",
"description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)",
"modified": "2026-01-13T22:02:50.260000",
"created": "2025-12-14T22:49:23.114000",
"tags": [
"cicada",
"project cicada",
"united states",
"quasi government",
"asnone country",
"united",
"moved",
"agent",
"meta",
"title error",
"reverse dns",
"servers",
"urls",
"url analysis",
"aaaa",
"present dec",
"ip address",
"america flag",
"unknown",
"Christopher P. \u2018Buzz\u2019 Ahmann",
"brian sabey.",
"State of Colorado",
"date checked",
"url hostname",
"server response",
"google safe",
"results mar",
"avast avg",
"qualified immunity",
"address google",
"freeman",
"mathis",
"special forces",
"tailored access",
"tao",
"hacker force",
"infiltrate",
"manipulate",
"sabotage",
"tools",
"show",
"results nov",
"9b",
"tao operations",
"root9b",
"hunt operations",
"error mar",
"over watch",
"overkill",
"read c",
"memcommit",
"high",
"checks",
"windows",
"delete",
"execution",
"dock",
"write",
"persistence",
"capture",
"next",
"local",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"suspicious_write_exe",
"network_icmp",
"antisandbox_restart",
"creates_largekey",
"infostealer_keylogger",
"proess_martian",
"injection_resumethread",
"allocates_rwx",
"targeted intelligence",
"js_eval",
"network_http",
"name servers",
"value domain",
"domain name",
"expiration date",
"safe browsing",
"unknown ns",
"record value",
"vercel",
"certificate",
"domain add",
"refresh",
"encrypt",
"x vercel",
"k jun",
"mtb jul",
"next http",
"scans record",
"value",
"deployment not",
"ransom",
"trojan",
"a domains",
"safari",
"android",
"webkit",
"animation",
"click",
"title",
"passive dns",
"gmt content",
"arial helvetica",
"ipv4 add",
"status",
"search",
"emails",
"as15169 google",
"virtool",
"cryp",
"as396982",
"win32",
"error",
"code",
"domain",
"showing",
"query",
"hostile",
"observed dns",
"et dns",
"et info",
"dns query",
"malware",
"push",
"gmt cache",
"sameorigin",
"files",
"url add",
"http",
"related nids",
"files location",
"flag united",
"as44273 host",
"hostname add",
"unknown aaaa",
"win32upatre dec",
"mtb dec",
"trojandropper",
"hstr",
"next associated",
"backdoor",
"entity",
"tempe",
"present sep",
"hostname",
"verdict",
"lowfi",
"usesscrrun",
"ipv4",
"element",
"password",
"developers",
"create",
"forms web",
"group",
"make sure",
"autocomplete",
"currentpassword",
"make",
"extraction",
"data upload",
"search otx",
"ider data",
"asn na",
"ag da",
"source level",
"url text",
"general full",
"url https",
"protocol h2",
"security tls",
"asn16509",
"amazon02",
"resource",
"hash",
"as16509",
"us note",
"route",
"redacted for",
"script urls",
"japan unknown",
"present apr",
"present mar",
"accept",
"cookie",
"path",
"sectigo https",
"encrypt https",
"log id",
"trustasia https",
"amazon",
"search criteria",
"22965417271",
"summary leaf",
"timestamp entry",
"log operator",
"https",
"script script",
"cname",
"present jun",
"coup",
"files ip",
"address",
"location united",
"asn as16509",
"color value",
"item tile",
"gmt max",
"primary text",
"text color",
"play button",
"search bar",
"dasher",
"flag",
"bad traffic",
"tls handshake",
"failure",
"analysis tip",
"windir",
"openurl c",
"ascii text",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"network traffic",
"beginstring",
"show process",
"null",
"span",
"general",
"strings",
"look",
"verify",
"restart",
"dynamicloader",
"ee fc",
"yara rule",
"ff d5",
"c1 e0",
"f0 ff",
"ff ff",
"eb e2",
"ed b8",
"fe ff",
"june",
"polymorphic",
"network cnc",
"cnc",
"dead connect",
"present nov",
"france unknown",
"generic http",
"exe upload",
"uploading exe",
"intel",
"ms windows",
"medium",
"http traffic",
"monitored target",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"learn",
"command",
"suspicious",
"informative",
"name tactics",
"spawns",
"t1480 execution",
"file defense",
"file discovery",
"t1071",
"t1057",
"segoe ui",
"script",
"html",
"body",
"twitter",
"formbook cnc",
"checkin",
"pegasus",
"get updates",
"p2p zeus",
"downloader",
"mpress",
"win32upatre sep",
"win32upatre oct",
"win32upatre nov",
"india unknown",
"r61afin",
"common upatre",
"write c",
"cts exe",
"ids detections",
"open",
"present aug",
"singapore",
"date",
"creation date",
"pentest people",
"tesla hackers",
"vietnam unknown",
"viet nam",
"company limited",
"pulse pulses"
],
"references": [
"http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022",
"dev-app.project-cicada.com \u2022 project-cicada.com",
"NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com",
"Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92",
"Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.",
"api.acumatica.flex.redteam.com",
"CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]",
"CICADA Contextual Inference & Comprehensive Analysis Data Agent",
"https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png",
"https://goo.gl/9p2vKq",
"IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
"Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)",
"Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self",
"Alerts: network_cnc_http network_http packer_unknown_pe_section_name",
"Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter",
"IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake",
"IDS Detections Gh0stCringe CnC Activity M2",
"Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st",
"Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks",
"Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect",
"https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls",
"googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K",
"teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com"
],
"public": 1,
"adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Doc.Downloader.EmotetRed02220-9938909-0",
"display_name": "Doc.Downloader.EmotetRed02220-9938909-0",
"target": null
},
{
"id": "TrojanDropper:Win32/VB.IL",
"display_name": "TrojanDropper:Win32/VB.IL",
"target": "/malware/TrojanDropper:Win32/VB.IL"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Cymt",
"display_name": "Cymt",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre.AA",
"display_name": "TrojanDownloader:Win32/Upatre.AA",
"target": "/malware/TrojanDownloader:Win32/Upatre.AA"
},
{
"id": "Win.Trojan.Gh0stRAT-9955419-1",
"display_name": "Win.Trojan.Gh0stRAT-9955419-1",
"target": null
},
{
"id": "Win32:MalOb-BX",
"display_name": "Win32:MalOb-BX",
"target": null
},
{
"id": "Win.Trojan.Agent",
"display_name": "Win.Trojan.Agent",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.K",
"display_name": "VirTool:Win32/Obfuscator.K",
"target": "/malware/VirTool:Win32/Obfuscator.K"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1027.002",
"name": "Software Packing",
"display_name": "T1027.002 - Software Packing"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11102,
"hostname": 4142,
"domain": 4251,
"email": 15,
"FileHash-SHA256": 3108,
"FileHash-MD5": 624,
"FileHash-SHA1": 490,
"CIDR": 1,
"SSLCertFingerprint": 3
},
"indicator_count": 23736,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "95 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6935c92c5fc93fd873c6aa6d",
"name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)",
"description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727",
"modified": "2026-01-06T18:04:02.620000",
"created": "2025-12-07T18:36:28.055000",
"tags": [
"memcommit",
"read c",
"t1082",
"cryptexportkey",
"invalid pointer",
"write",
"msil",
"malware",
"media",
"autorun",
"countries",
"united",
"america",
"high defense",
"evasion",
"t1055",
"ck technique",
"technique id",
"allocates",
"potential code",
"attempts",
"threatintel",
"dark web",
"coinbasecartel",
"ransomware",
"osint",
"tor",
"data breach",
"cinvestav",
"ai generated",
"ransomware leak",
"page",
"november",
"investigacin y",
"nacional",
"mexican",
"mexico",
"present nov",
"verdana",
"td tr",
"passive dns",
"ip address",
"urls",
"aaaa",
"present may",
"present oct",
"present jul",
"virtool",
"present sep",
"present jun",
"win32",
"default",
"unicode",
"png image",
"rgba",
"high",
"dock",
"execution",
"xport",
"unknown",
"data upload",
"extraction",
"will",
"data",
"name cloudflare",
"hostmaster name",
"org cloudflare",
"townsend st",
"city san",
"us creation",
"kelihos",
"ipv4",
"present dec",
"files",
"domain",
"search",
"hostname",
"verdict",
"location united",
"asn as16625",
"akamai",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results nov",
"present aug",
"backdoor",
"msie",
"chrome",
"trojan",
"mtb aug",
"worm",
"cryp",
"junkpoly",
"twitter",
"trojandropper",
"title",
"germany unknown",
"ipv4 add",
"pulse pulses",
"hosting",
"reverse dns",
"cologne",
"search engine",
"gse compromised",
"redacted for",
"privacy admin",
"privacy tech",
"server",
"organization",
"street",
"city",
"stateprovince",
"postal code",
"country",
"resolver domain",
"cape sa",
"virustot",
"type pdf",
"name",
"lookups",
"email abuse",
"historical ssl",
"certificates",
"first",
"graph summary",
"cname",
"address",
"ip2location",
"bogon ip",
"admin",
"network",
"wifi password",
"ssid",
"demo",
"details",
"failed",
"include review",
"exclude sugges",
"onlv",
"x try",
"find s",
"typ url",
"url data",
"severity att",
"module load",
"icmp traffic",
"dns query",
"t1055 jseval",
"windows nt",
"port",
"entries",
"destination",
"medium",
"show",
"pecompact",
"june",
"service",
"next",
"xserver",
"encrypt",
"t1129",
"windows module",
"dlls",
"convention",
"windows native"
],
"references": [
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"hallplan.vm05.iveins.de",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Name : iveins.de Service : connect",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727"
],
"public": 1,
"adversary": "COINBASECARTEL",
"targeted_countries": [
"United States of America",
"Sweden",
"Bangladesh",
"Japan"
],
"malware_families": [
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "MSIL:Agent-DQ\\ [Trj]",
"display_name": "MSIL:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "VirTool:MSIL/Covent.A",
"display_name": "VirTool:MSIL/Covent.A",
"target": "/malware/VirTool:MSIL/Covent.A"
},
{
"id": "Trojan:Win32/Pynamer!rfn",
"display_name": "Trojan:Win32/Pynamer!rfn",
"target": "/malware/Trojan:Win32/Pynamer!rfn"
},
{
"id": "Win64:TrojanX",
"display_name": "Win64:TrojanX",
"target": null
},
{
"id": "VirTool:MSIL/Covent",
"display_name": "VirTool:MSIL/Covent",
"target": "/malware/VirTool:MSIL/Covent"
},
{
"id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "Kelihos",
"display_name": "Kelihos",
"target": null
},
{
"id": "CVE-2025-11727",
"display_name": "CVE-2025-11727",
"target": null
},
{
"id": "Exploit:JS/CVE-2014-0322",
"display_name": "Exploit:JS/CVE-2014-0322",
"target": "/malware/Exploit:JS/CVE-2014-0322"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 117,
"FileHash-SHA256": 1746,
"URL": 5018,
"hostname": 1827,
"domain": 1072,
"CVE": 3,
"email": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9938,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692d400f81164107d98922db",
"name": "Injector.BO : DNS Reply Sinkhole via Phishing emails , texts , drives or malicious links",
"description": "\"Phishing threat: This is a phishing website that impersonates a trusted website to trick you into revealing personal or financial information.\";var L_MalwareThreat_TEXT = \"Malicious software threat: This site contains links to viruses or other software programs that can reveal personal information stored or typed on your computer to malicious persons",
"modified": "2025-12-31T06:01:00.551000",
"created": "2025-12-01T07:13:19.659000",
"tags": [
"url http",
"url https",
"urls",
"files",
"address",
"asn as400519",
"united states",
"info geo",
"united",
"as400519",
"us note",
"route",
"ipv4",
"live",
"superdata",
"viet nam",
"cisco umbrella",
"sectigo rsa",
"secure",
"google safe",
"browsing",
"current dns",
"a record",
"input",
"closenotify",
"phpsessid value",
"source level",
"url text",
"general full",
"protocol h2",
"security tls",
"ecdhersa",
"asn45544",
"reverse dns",
"resource",
"hash",
"as45544",
"vn note",
"backdoor",
"generic",
"cnc activity",
"passive dns",
"ipv4 add",
"company limited",
"dnssec",
"hostname add",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"t1480 execution",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"vietnam",
"location viet",
"nam flag",
"urlhttp",
"extracted files",
"unicode text",
"utf8 text",
"lowfihstr",
"trojan",
"mtb trojan",
"spawns",
"found",
"process details",
"flag",
"contacted",
"xb6x04x00",
"t1055",
"search",
"read c",
"cnlolcat",
"microsoft",
"medium",
"entries",
"unknown",
"virtool",
"malware",
"copy",
"write",
"win32",
"next",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"china unknown",
"creation date",
"body",
"please",
"x msedge",
"tracking"
],
"references": [
"anonsecbotnet.cameraddns.net",
"https://api.playit.gg/agents/routing/get",
"http://www.google.com-viruswall1-source-cloud-computing-services-distribution.cpdev.dyson.cn/",
"https://www.endgamesystems.com/",
"IDS Detections : DNS Rep Sinkhole - Microsoft - 199.2.137.0/24"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:MSIL/Ranos.A",
"display_name": "Trojan:MSIL/Ranos.A",
"target": "/malware/Trojan:MSIL/Ranos.A"
},
{
"id": "Trojan:MSIL/ClipBanker.GC!MTB",
"display_name": "Trojan:MSIL/ClipBanker.GC!MTB",
"target": "/malware/Trojan:MSIL/ClipBanker.GC!MTB"
},
{
"id": "Win.Packed.Msilperseus-9956592-0",
"display_name": "Win.Packed.Msilperseus-9956592-0",
"target": null
},
{
"id": "ALF:Backdoor:MSIL/Noancooe.",
"display_name": "ALF:Backdoor:MSIL/Noancooe.",
"target": null
},
{
"id": "Win.Trojan.Generic-6417450-0",
"display_name": "Win.Trojan.Generic-6417450-0",
"target": null
},
{
"id": "Win.Packed.Bladabindi-6872770-0",
"display_name": "Win.Packed.Bladabindi-6872770-0",
"target": null
},
{
"id": "#LowFiHSTR:MSIL/Confuser",
"display_name": "#LowFiHSTR:MSIL/Confuser",
"target": "/malware/#LowFiHSTR:MSIL/Confuser"
},
{
"id": "Win.Dropper.njRAT-10015886-0",
"display_name": "Win.Dropper.njRAT-10015886-0",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AP",
"display_name": "Backdoor:MSIL/Bladabindi.AP",
"target": "/malware/Backdoor:MSIL/Bladabindi.AP"
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Win.Packed.Fecn-7077459-0",
"display_name": "Win.Packed.Fecn-7077459-0",
"target": null
},
{
"id": "Win.Packed.Marsilia-10021147-0",
"display_name": "Win.Packed.Marsilia-10021147-0",
"target": null
},
{
"id": "VirTool:Win32/Injector.BO",
"display_name": "VirTool:Win32/Injector.BO",
"target": "/malware/VirTool:Win32/Injector.BO"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1578.001",
"name": "Create Snapshot",
"display_name": "T1578.001 - Create Snapshot"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1610,
"domain": 147,
"hostname": 501,
"FileHash-SHA256": 384,
"CIDR": 3,
"FileHash-MD5": 79,
"FileHash-SHA1": 77,
"email": 3,
"SSLCertFingerprint": 1
},
"indicator_count": 2805,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "109 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6916dc43beba2f3839fd7c36",
"name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com",
"description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix",
"modified": "2025-12-14T05:04:31.480000",
"created": "2025-11-14T07:37:39.794000",
"tags": [
"gmt content",
"related tags",
"found title",
"cache control",
"x request",
"runtime",
"vary",
"reverse dns",
"ashburn",
"resource",
"verdict",
"address",
"read c",
"unicode",
"high",
"memcommit",
"delete",
"dock",
"write",
"execution",
"next associated",
"server response",
"port",
"destination",
"crlf line",
"malware",
"png image",
"rgba",
"united states",
"medium",
"encrypt",
"america",
"msie",
"unknown",
"present jan",
"name servers",
"present oct",
"present may",
"present mar",
"present dec",
"present nov",
"united",
"present apr",
"present jun",
"urls show",
"url hostname",
"ip address",
"google safe",
"results jun",
"canada unknown",
"passive dns",
"canada",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"twitter",
"chrome",
"urls",
"files",
"asn as13335",
"dns resolutions",
"trojan",
"trojanspy",
"win32",
"title",
"servers",
"unknown ns",
"domain",
"present aug",
"present sep",
"files domain",
"files related",
"none google",
"safe browsing",
"unknown aaaa",
"moved",
"cloudfront x",
"meta",
"ip whois",
"registrar",
"hostname",
"files ip",
"ipv4 add",
"location united",
"america flag",
"america asn",
"present jul",
"virtool",
"record value",
"dnssec",
"meta http",
"content",
"gmt server",
"litespeed x",
"present feb",
"write c",
"as62597 nsone",
"as16509",
"module load",
"t1129",
"service",
"dynamicloader",
"windows",
"tofsee",
"stream",
"hostile",
"win64",
"delete c",
"all ipv4",
"url analysis",
"status",
"error",
"aaaa",
"ireland unknown",
"asn as14618",
"backdoor",
"a domains",
"russia",
"mtb nov",
"ransom",
"displayname",
"push",
"yara rule",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"rndchar",
"checks",
"checks system",
"filehash",
"av detections",
"ids detections",
"yara detections",
"learn",
"command",
"adversaries",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"found",
"ssl certificate",
"flag",
"server",
"cloudflare",
"csc corporate",
"domains",
"fireeye",
"contacted hosts",
"mitre att",
"pattern match",
"ck matrix",
"hybrid",
"local",
"path",
"click",
"strings",
"foundry",
"josht.ca",
"paid parking",
"parking crews"
],
"references": [
"Fireye - FEDNS1.FIREEYE.COM",
"http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
"http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
"http://p2d.josht.ca/assets/content-delivery/depots/download",
"test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca",
"http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
"https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
"https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
"https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
"https://p2d.josht.ca/api/depots/info/?depot=",
"https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
"Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
"According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021",
"Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
"Daisy was allegedly brutally assaulted by Matthew Barnett,",
"Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
"Is that where they\u2019re getting these names? Rexxfield.com. SMH",
"There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
"According to accounts she was afraid for her life , found to be safe then took her own life?",
"Typing a suicide note on social media is suspicious since it could come from your murderer.",
"So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
"Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
"and our limited information, is Daisy a victim or a crisis actor?",
"Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
"Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
"Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
"Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
"FireEye was there in 2 year old pulse now removed? I\u2019ll find it."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7617,
"domain": 1127,
"hostname": 3591,
"email": 9,
"FileHash-SHA256": 1160,
"FileHash-MD5": 481,
"FileHash-SHA1": 404,
"SSLCertFingerprint": 13,
"CVE": 1
},
"indicator_count": 14403,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69138421066f81131da59cc5",
"name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ",
"description": "",
"modified": "2025-12-03T00:01:23.660000",
"created": "2025-11-11T18:44:49.343000",
"tags": [
"status",
"date",
"name servers",
"lowfi",
"passive dns",
"urls",
"domain",
"susp",
"win32",
"search",
"win64",
"error",
"url https",
"url http",
"ipv4",
"type indicator",
"role title",
"added active",
"related pulses",
"morocco",
"united kingdom",
"united",
"present nov",
"aaaa",
"present oct",
"cname",
"brazil",
"malaysia",
"title",
"present jun",
"ip address",
"creation date",
"record value",
"emails",
"unknown aaaa",
"body",
"url add",
"pulse pulses",
"http",
"related nids",
"files location",
"flag united",
"trojan",
"trojandropper",
"virtool",
"entries",
"next associated",
"ipv4 add",
"unknown ns",
"present jul",
"present sep",
"present aug",
"win32upatre nov",
"candyopen",
"tlsv1",
"port",
"destination",
"ogoogle trust",
"cngts ca",
"show",
"read c",
"youtube",
"copy",
"dock",
"write",
"next",
"malware",
"persistence",
"execution",
"filehashmd5",
"hostname",
"filehashsha256",
"types of",
"germany",
"poland",
"indicator role",
"title added",
"active related",
"pulses url",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6907f7e98289b75f3e5ecaba",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 400,
"URL": 2857,
"FileHash-MD5": 217,
"FileHash-SHA1": 172,
"FileHash-SHA256": 1426,
"email": 6,
"hostname": 1019,
"SSLCertFingerprint": 6
},
"indicator_count": 6103,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "137 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6907f7e98289b75f3e5ecaba",
"name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet",
"description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices",
"modified": "2025-12-03T00:01:23.660000",
"created": "2025-11-03T00:31:37.396000",
"tags": [
"status",
"date",
"name servers",
"lowfi",
"passive dns",
"urls",
"domain",
"susp",
"win32",
"search",
"win64",
"error",
"url https",
"url http",
"ipv4",
"type indicator",
"role title",
"added active",
"related pulses",
"morocco",
"united kingdom",
"united",
"present nov",
"aaaa",
"present oct",
"cname",
"brazil",
"malaysia",
"title",
"present jun",
"ip address",
"creation date",
"record value",
"emails",
"unknown aaaa",
"body",
"url add",
"pulse pulses",
"http",
"related nids",
"files location",
"flag united",
"trojan",
"trojandropper",
"virtool",
"entries",
"next associated",
"ipv4 add",
"unknown ns",
"present jul",
"present sep",
"present aug",
"win32upatre nov",
"candyopen",
"tlsv1",
"port",
"destination",
"ogoogle trust",
"cngts ca",
"show",
"read c",
"youtube",
"copy",
"dock",
"write",
"next",
"malware",
"persistence",
"execution",
"filehashmd5",
"hostname",
"filehashsha256",
"types of",
"germany",
"poland",
"indicator role",
"title added",
"active related",
"pulses url",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 400,
"URL": 2857,
"FileHash-MD5": 217,
"FileHash-SHA1": 172,
"FileHash-SHA256": 1426,
"email": 6,
"hostname": 1019,
"SSLCertFingerprint": 6
},
"indicator_count": 6103,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "137 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e32dd0c55bf224eb99dd58",
"name": "Appspot.com - Google account fraud & infostealing",
"description": "Fake Google email accounts. I\u2019ve reviewed a handful of targets with this issue. If starting with a new device, signed up for a new google account,\nthe users are automatically logged out, forced to sign in again, checked security features where you can see an unauthorized autonomous general\nphone, or iPhone or MacBook was also signed in in a different location. Even if you delete the device or email account, I\u2019ve seen the intruder handle CnC of all backups of photos and clouds. \n\n\n\n[OTX auto populated - The full list of domain names: APPSPot.COM.com, which was created on the same day as the Google search engine, has been published by the internet regulator, the IANA.]",
"modified": "2025-11-05T01:01:26.928000",
"created": "2025-10-06T02:47:44.098000",
"tags": [
"aaaa",
"susp",
"trojan",
"google",
"server",
"domain status",
"registrar abuse",
"domain name",
"us registrant",
"email",
"contact email",
"rdap database",
"google app",
"google hosted",
"please",
"vulnerabilities",
"join",
"bring",
"api explorer",
"engine",
"admin sdk",
"info",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"ssl certificate",
"ascii text",
"united",
"pattern match",
"mitre att",
"general",
"local",
"path",
"click",
"strings",
"porn",
"phishing",
"fraud",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"download",
"apt",
"ansi",
"dumps",
"file string",
"seen",
"disabled hash",
"close",
"hosts",
"contact",
"tellwise",
"passive dns",
"urls",
"pulse pulses",
"files",
"verdict",
"domain",
"files ip",
"address",
"location united",
"asn as15169",
"extraction",
"data upload",
"extra",
"referen http",
"changed data",
"failed",
"include review",
"t07 exclude",
"extri data",
"changed",
"exclude",
"find s",
"tvnes data",
"status",
"present nov",
"name servers",
"entries",
"geoid no",
"present dec",
"date",
"error",
"title",
"sugges",
"typ no",
"no entrieotound",
"scam",
"foundry",
"sabey type",
"denver",
"quasi",
"phoenix",
"australia"
],
"references": [
"appspot.com \u2022 hyper7install.appspot.com",
"https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786",
"http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210",
"Changed last several digits of gmail account # In example",
"http://console.cloud.google.com/appengine",
"https://310940000.android.com.twitter.android.adsenseformobileapps.com/",
"https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc",
"device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21",
"116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com",
"jaycobundaberg.eclipseaurahub.com.au 192.168.0.21",
"grafana.ledocloud.com\u2022 192.168.0.21",
"192-168-0-21.siliconevalley1.direct.quickconnect.to"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32/Madang",
"display_name": "Win32/Madang",
"target": null
},
{
"id": "Win.Downloader.Small-1966",
"display_name": "Win.Downloader.Small-1966",
"target": null
},
{
"id": "Win32:SaliCode",
"display_name": "Win32:SaliCode",
"target": null
},
{
"id": "Virtool:Win32/Vbinder.CO",
"display_name": "Virtool:Win32/Vbinder.CO",
"target": "/malware/Virtool:Win32/Vbinder.CO"
},
{
"id": "!Themida",
"display_name": "!Themida",
"target": null
},
{
"id": "Virus:Win32/Sality.AT",
"display_name": "Virus:Win32/Sality.AT",
"target": "/malware/Virus:Win32/Sality.AT"
},
{
"id": "Win32/Scrarev.C",
"display_name": "Win32/Scrarev.C",
"target": null
},
{
"id": "Trojan:MSIL/RapidStealer.A",
"display_name": "Trojan:MSIL/RapidStealer.A",
"target": "/malware/Trojan:MSIL/RapidStealer.A"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 222,
"FileHash-MD5": 146,
"FileHash-SHA1": 317,
"FileHash-SHA256": 1120,
"email": 3,
"hostname": 881,
"URL": 1338,
"SSLCertFingerprint": 7
},
"indicator_count": 4034,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "165 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68dd9423f9208dcc8701e12e",
"name": "Maktub Locker TOR Status Check \u2022 Cab \\ Drive by( dbi.com) Malicious pic",
"description": "After 911 told me I was bounced to the Denver, Co Station 5 , located 45 & Peoria in Denver , Colorado , not even close. \nThe phone number changed, only 911 access. Clue: I saw an Amber alert in n target phone when I powered it on. No all notices always turned off. Made a call\non contact list and screen changed to a plain faced interface. \n\nAfter finding a mother foundry link on targets phone I grew curious about a CEO\u2019s strange story of Palantir\u2019s Karp Theil roommate situation in Law School but I could only find one picture on of them on a campus in their late 40\u2019s. He\u2019s African American mixed. The picture of his mother in hacked phone is 215 yo. No information federal oversight as CEO right? Or limited information on crazy hacked device? \n\nClicked on link then OMGness\n\n#whatIfind #onhackeddevice #targeting",
"modified": "2025-10-31T19:03:21.338000",
"created": "2025-10-01T20:50:43.002000",
"tags": [
"iocs",
"logo",
"passive dns",
"related tags",
"none google",
"ipv4",
"gogle",
"twitter",
"x.com",
"ransomware",
"fbi \u2019site\u2019",
"python",
"cloud",
"regopenkeyexw",
"read c",
"port",
"destination",
"cryptexportkey",
"count read",
"tor get",
"malware",
"write",
"format",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"country",
"postal code",
"organization",
"date",
"email",
"code",
"aaaa",
"value a",
"key identifier",
"v3 serial",
"number",
"cus ogoogle",
"trust",
"cnwe1 validity",
"subject public",
"key info",
"key algorithm",
"ec oid",
"maktub",
"cnc",
"python-projekt",
"x post",
"link",
"android",
"iphone",
"google",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"ssl certificate",
"spawns",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"size",
"mitre att",
"show technique",
"ck matrix",
"title",
"path",
"hybrid",
"general",
"local",
"form",
"click",
"strings",
"body"
],
"references": [
"FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm",
"Entity CLOUD14",
"CLOUDFLARENET - 104.16.148.244 , 104.19.148.244",
"https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2",
"https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05",
"Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me",
"Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval",
"Tor Get Server Request \u2022 TLS Handshake Failure High Priority",
"Yara Detections: stack_string Alerts: dead_host",
"Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http",
"Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters",
"Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Code Virus Ransomware",
"display_name": "Code Virus Ransomware",
"target": null
},
{
"id": "AVAST- Win32:Filecoder-AD\\ [Trj]",
"display_name": "AVAST- Win32:Filecoder-AD\\ [Trj]",
"target": null
},
{
"id": "CLAMAV - Win.Malware.Cabby-6803812",
"display_name": "CLAMAV - Win.Malware.Cabby-6803812",
"target": null
},
{
"id": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn",
"display_name": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn",
"target": "/malware/Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn"
}
],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 574,
"domain": 147,
"FileHash-MD5": 156,
"FileHash-SHA1": 130,
"FileHash-SHA256": 539,
"URL": 982,
"SSLCertFingerprint": 4,
"email": 2
},
"indicator_count": 2534,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "169 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68c54659742e10df0e2dd0ec",
"name": "Archive.ph - Mirai",
"description": "",
"modified": "2025-10-03T00:01:12.616000",
"created": "2025-09-13T10:24:25.814000",
"tags": [
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"initial access",
"javascript",
"spawns",
"united",
"present aug",
"div div",
"meta",
"fffae1",
"xml title",
"drag",
"div form",
"form div",
"a li",
"encrypt",
"russia",
"passive dns",
"urls",
"aaaa",
"netherlands",
"your ip",
"panama",
"russia unknown",
"present mar",
"present jun",
"moved",
"present jul",
"present sep",
"ip address",
"present jan",
"body",
"title",
"domain",
"files",
"content type",
"body doctype",
"as16509",
"intel mac",
"os x",
"ipv4 add",
"port",
"destination",
"read c",
"medium",
"entries",
"et info",
"execution",
"next",
"dock",
"write",
"persistence",
"malware",
"url analysis",
"files ip",
"name server",
"domain address",
"algorithm",
"key identifier",
"v3 serial",
"number",
"cus olet",
"encrypt cne6",
"validity",
"subject public",
"key info",
"us as15169",
"us as396982",
"mitre att",
"pattern match",
"form",
"onload",
"general",
"local",
"path",
"click",
"strings",
"verify",
"asnone",
"china as4134",
"resolverror",
"high",
"dns query",
"as7018 att",
"japan as4713",
"south korea",
"little \u2018endian\u2019",
"mirai",
"dod",
"endgame systems",
"government overreach",
"sabey type",
"foundry type",
"apple",
"cve"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Unix.Dropper.Mirai-7135858-0",
"display_name": "Unix.Dropper.Mirai-7135858-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": "68b798c0a419c49eeb4e2a13",
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "privacynotacrime",
"id": "349346",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2069,
"domain": 406,
"FileHash-SHA256": 1498,
"hostname": 811,
"FileHash-MD5": 150,
"FileHash-SHA1": 138,
"SSLCertFingerprint": 8,
"CIDR": 1,
"CVE": 1
},
"indicator_count": 5082,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 59,
"modified_text": "198 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68b798c0a419c49eeb4e2a13",
"name": "Archive.ph - Mirai",
"description": "Outdated archiving domain of questionable origin can expose or has exposed monitored target/s to\nUnix.Dropper.Mirai-7135858-0.\n\nThe domain seems to want to appear as if it originates from Russia. There is a DoD & Endgame systems relationship. Multiple archived pages have been injected and deleted.\n(Little Endian) is a name seen often related to an innocent known to be targeted by a pro male entity who utilizes Pegasus, Palantir, Gotham, Foundry , Tulach, for silencing.\n#trulymissed #mirai #malicious",
"modified": "2025-10-03T00:01:12.616000",
"created": "2025-09-03T01:24:16.418000",
"tags": [
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"initial access",
"javascript",
"spawns",
"united",
"present aug",
"div div",
"meta",
"fffae1",
"xml title",
"drag",
"div form",
"form div",
"a li",
"encrypt",
"russia",
"passive dns",
"urls",
"aaaa",
"netherlands",
"your ip",
"panama",
"russia unknown",
"present mar",
"present jun",
"moved",
"present jul",
"present sep",
"ip address",
"present jan",
"body",
"title",
"domain",
"files",
"content type",
"body doctype",
"as16509",
"intel mac",
"os x",
"ipv4 add",
"port",
"destination",
"read c",
"medium",
"entries",
"et info",
"execution",
"next",
"dock",
"write",
"persistence",
"malware",
"url analysis",
"files ip",
"name server",
"domain address",
"algorithm",
"key identifier",
"v3 serial",
"number",
"cus olet",
"encrypt cne6",
"validity",
"subject public",
"key info",
"us as15169",
"us as396982",
"mitre att",
"pattern match",
"form",
"onload",
"general",
"local",
"path",
"click",
"strings",
"verify",
"asnone",
"china as4134",
"resolverror",
"high",
"dns query",
"as7018 att",
"japan as4713",
"south korea",
"little \u2018endian\u2019",
"mirai",
"dod",
"endgame systems",
"government overreach",
"sabey type",
"foundry type",
"apple",
"cve"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Unix.Dropper.Mirai-7135858-0",
"display_name": "Unix.Dropper.Mirai-7135858-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2069,
"domain": 406,
"FileHash-SHA256": 1498,
"hostname": 811,
"FileHash-MD5": 150,
"FileHash-SHA1": 138,
"SSLCertFingerprint": 8,
"CIDR": 1,
"CVE": 1
},
"indicator_count": 5082,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "198 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68ae5b9ef87646927a236b61",
"name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry",
"description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems",
"modified": "2025-09-26T00:01:12.214000",
"created": "2025-08-27T01:13:02.780000",
"tags": [
"google",
"mullvad browser",
"value",
"incognito mode",
"mine",
"unix time",
"friday",
"january",
"does",
"tor browser",
"search",
"show",
"langchinese",
"packing t1045",
"t1045",
"medium",
"pe resource",
"module load",
"t1129",
"service",
"trojan",
"copy",
"dock",
"write",
"malware",
"clock",
"united",
"passive dns",
"urls",
"next associated",
"gmt cache",
"ipv4 add",
"pulse pulses",
"files",
"reverse dns",
"win32",
"title",
"location united",
"america flag",
"america asn",
"as15169 google",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"present aug",
"china unknown",
"creation date",
"date",
"domain",
"ip address",
"domain name",
"expiration date",
"status ok",
"nanjing",
"accept",
"body",
"div td",
"td tr",
"div div",
"span span",
"a li",
"span p",
"p div",
"moved",
"a domains",
"open",
"span",
"uuupupu",
"t1055",
"process32nextw",
"high",
"windows",
"high defense",
"evasion",
"delphi",
"google gmail",
"images sign",
"advanced search",
"solutions",
"privacy",
"store gmail",
"delete delete",
"report",
"how search",
"applying ai",
"settings search",
"advanced",
"search search",
"search help",
"domainabuse",
"showing",
"hostname add",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses none",
"related tags",
"read c",
"tlsv1",
"whitelisted",
"port",
"destination",
"ascii text",
"next",
"encrypt",
"script urls",
"msie",
"chrome",
"bad gateway",
"script domains",
"present feb",
"link",
"meta",
"digital",
"language",
"body doctype",
"ghost",
"present jun",
"aaaa",
"present jul",
"present oct",
"record value",
"yara detections",
"dock zone",
"top source",
"top destination",
"source source",
"filehash",
"code",
"error",
"windows nt",
"wow64",
"slcc2",
"media center",
"execution",
"persistence",
"tulach",
"brian sabey",
"dod network",
"orgtechref",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity dnic",
"handle",
"whois lookup",
"dod",
"et trojan",
"server header",
"suspicious",
"et info",
"unknown",
"virustotal",
"specified",
"download",
"et",
"please",
"type size",
"first seen",
"loading",
"python wheel",
"dynamicloader",
"intel",
"ms windows",
"pe32",
"entries",
"user agent",
"powershell",
"agent",
"yara rule",
"checks",
"levelblue",
"open threat",
"observed dns",
"query",
"dns lookup",
"msdos",
"wannacry dns",
"lookup",
"wannacry",
"worm",
"explorer",
"msil",
"darkcomet",
"ping",
"tools",
"capture",
"hallrender",
"dga domains",
"unfurl sites",
"honey net",
"bot",
"nxdomain",
"potential-c2"
],
"references": [
"Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems",
"DoD Network Information Center (DNIC)",
"DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}",
"Python Wheel package",
"https://www.google.com/search",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Magania.DSK!MTB",
"display_name": "Trojan:Win32/Magania.DSK!MTB",
"target": "/malware/Trojan:Win32/Magania.DSK!MTB"
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "a variant of Win32/Kryptik.DEOA",
"display_name": "a variant of Win32/Kryptik.DEOA",
"target": null
},
{
"id": "ALF:Exploit:Win32/gSharedInfoRef.A",
"display_name": "ALF:Exploit:Win32/gSharedInfoRef.A",
"target": null
},
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [
"Telecommunications",
"Technology",
"Civilian"
],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8221,
"domain": 1216,
"FileHash-SHA256": 2434,
"FileHash-MD5": 296,
"FileHash-SHA1": 155,
"hostname": 2939,
"email": 7,
"SSLCertFingerprint": 8,
"CIDR": 2
},
"indicator_count": 15278,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "205 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"Alerts: creates_service stealth_window antivm_network_adapters checks_debugger",
"dev-app.project-cicada.com \u2022 project-cicada.com",
"Denver, US 80211 http://library.verizon.onereach.ai",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"www.apple.com \u2022 23.34.32.199",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c",
"Yara: Detections Tofsee",
"device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21",
"https://brand.centurylinktechnology.com",
"Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st",
"https://fonts.googleapis.com/css",
"https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"https://cellebrite.com/en/federal-government/",
"https://vtbehaviour.commondatastorage.googleapis.com/6c39ae0368703f254070a0648c0066115140c3e762d9bf5b52833a037a1e3743_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469752&Signature=Df%2Bamm33qFPdsDg6nWC5FQjse7h4fksSXqONp4nMEItb0gpBwqx66TqcCnFzQplUk6ExMge79qNZR2OElv63sX54D4fSGwI9nvHYhQoiVdZIgf4ct8dIAr%2BYO9jSx0WpPUVFsvf%2FXtXvm6jM5n5v7CGiyFRyAz8PES5g%2FcOlLt%2BDhsc8bhi%2FMU9mAkyyr5nFVPcTmUSHOTNXOeKDUlyRkQE6b9FEbFhUL1h3%2B%2FBVtysh",
"External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"CICADA Contextual Inference & Comprehensive Analysis Data Agent",
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"pcy.and.googletagmanagers.com",
"https://www.colocrossing.com/",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"I apologize for the lack of reference.",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"Entity CLOUD14",
"https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469810&Signature=Mj5ODxCW7tD5UNn6P11Ta7F2cmDLSJuEB7JSLFg%2FERfANmnRR5L7XzDwXxI5G48vkQFx0%2FBMtjMLwWHn6ZHKlt13rfzkvoOu5fJ%2Fb5lMJqUp1rSQIG0JLL80QAnXyJf2W8pL7MvK97Tr4jsCIUfd8ezliJtV5SmahV6Q8lYu2KJUnANrHkA10RFrcT4O26Vk7gbDsuC7caDXC6U9KXTTB0cpC77%2FV7w86ftN2JPXx6oEHUvSj02qsvhKwKQvmM",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"It appears there are 5-7 known affected that I was able to find",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"div>
",
"podcasts.apple.com \u2022 23.34.32.21",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"developer.x.com",
"http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
"https://goo.gl/9p2vKq",
"Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
"IDS Detections : DNS Rep Sinkhole - Microsoft - 199.2.137.0/24",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"IP\u2019s Contacted : 54.230.129.165",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"https://vtbehaviour.commondatastorage.googleapis.com/2533042959ad1fe050d14ab7536126910a2d240992bff397640382472b6a7c69_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469608&Signature=fK1I2%2FxXVm0l3ZiELwtstes8iVN402Ww%2By%2BgvxYOB0LiC2iO3J9cedWJk1hMIr4IfLSGKprfui8vANzR%2BkWfSd594S%2FFe9A59YKyOA2MFmQTBRXVy6O3xF1e1lPETp5Md%2FbGJCOzrZxdHyReyuk7cgdDDBAewptjJhfTYxql7F9X%2FB4qe9BYWPrvned2fFWfU%2F4G%2F4UBqY9Jj%2BG1CTP%2FaGqOdWFs0Q5cPYZ4bytp",
"https://elegantcosmedampyeah.pages.dev/",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699",
"HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"Malicious Application Development: herokuappdev.com (Patter match 8 years +)",
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f",
"http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/",
"http://test-firstmile.digitecgalaxus.ch",
"pegasuspartners.followupboss.com",
"https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters",
"Crowdsourced IDS: Matches rule MALWARE-CNC DNS",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"192-168-0-21.siliconevalley1.direct.quickconnect.to",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]",
"http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://feedback.ptv.vic.gov.au/360",
"Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com",
"Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
"appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.",
"Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"114.114.114.114 = Tulach",
"https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
"Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd",
"TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render",
"Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"Fireye - FEDNS1.FIREEYE.COM",
"ET Telnet | https://www.colocrossing.com | velocity servers",
"https://otx.alienvault.com/indicator/ip/3.163.24.10",
"Name : iveins.de Service : connect",
"www.remoteaccess.allied-media.com",
"https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
"NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com",
"Tulach.cc",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com",
"104.21.51.140, 172.67.181.41",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"http://apple.com-verify.account.manage.test2.aptaforum.com.cn/",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe",
"https://action.aiseesoft.jp/itunes.php",
"www.killer333.club So I\u2019m right.",
"fastwebnet.it | Cellebrite White Label Spyware Service",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht",
"IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
"Yare: compromised_site_redirector_fromcharcode",
"http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"lkp.and.googletagmanagers.com",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"aotx.alienvault.com (aotx.?)",
"Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)",
"Tipped: A targets AI and other cyber research findings.",
"https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786",
"Tor Get Server Request \u2022 TLS Handshake Failure High Priority",
"VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc",
"Python Wheel package",
"FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"jaycobundaberg.eclipseaurahub.com.au 192.168.0.21",
"http://web-secure-appleid-login.com.test2.aptaforum.com.cn/",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login",
"jgw.and.googletagmanagers.com",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"Yara Detections is__elf , ELFHighEntropy , elf_empty_sections",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"prb.and.googletagmanagers.com",
"ET TROJAN Suspicious double Server Header",
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
"teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7",
"https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems",
"Is that where they\u2019re getting these names? Rexxfield.com. SMH",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"Needs to be sorted. Actively being exploited on US",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"Yara Detections is__elf",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"https://securityaffairs.com/144927/cyber-crime~#",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"https://p2d.josht.ca/api/depots/info/?depot=",
"ET DNS DNS Query to a .tk domain - Likey",
"Same legal , and quasi governmental pattern identified",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot",
"http://help.aiseesoft.jp/fonelab/",
"Yara Detections: stack_string Alerts: dead_host",
"This is hard to comprehend or put into indelible words.",
"In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"ASP. NET",
"UPX_OEP_place",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"http://firstmile.digitecgalaxus.ch",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"anonsecbotnet.cameraddns.net",
"https://l.us-1.a.mimecastprotect.com/l",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com",
"http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022",
"IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake",
"Daisy was allegedly brutally assaulted by Matthew Barnett,",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K",
"cdn.rss.applemarketingtools.com",
"22.hio52.r.cloudfront.net",
"https://otx.alienvault.com/indicator/domain/qeenetic.link",
"this.target",
"https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/",
"https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/",
"web-secure-appleid-login.com.test2.aptaforum.com.cn",
"dns17.hichina.com",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval",
"https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469831&Signature=ZlRZLvCaJ%2F9niupu9DFCvXvfgFpDEOsK%2FsH46CB2zEVUDjcQRNMDp9XXKKx0dekmHQbhl02yqygHPOA8Wty5duGtK216QCvKNkYpbpdOjN7xgAg3AsldciWbqeJr8N4I%2F1%2FPRSdVfB%2BNGaBJKxZG1RQkX206MSvX%2BeY%2FdeEYpq3NYdrPWlxdV0pa3yaqcMrf2s%2FCFSM%2FdO3xt5PKyXWG%2FDCNM5iiuXh8OT2ckhZhf%",
"putrhnwl.exe",
"msedge.b.tlu.dl.delivery.mp.microsoft.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"Requires further research.",
"Alerts: peid_packer pe_unknown_resource_name",
"grafana.ledocloud.com\u2022 192.168.0.21",
"https://podcasts.apple.com/us/podcast/lazarus",
"appleid.apple.com-signin-8491e.test2.aptaforum.com.cn",
"IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192",
"IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108",
"Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"https://api.playit.gg/agents/routing/get",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"www.phantomcameras.cn",
"campdeadwood2026.com",
"Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc",
"Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/",
"https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"authrootstl.cab common file extension",
"TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host",
"Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"http://cr-malware.testpanw.com/url",
"(legitimate services will remain up-and-running usually) High | ID dead_host",
"Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad",
"Typing a suicide note on social media is suspicious since it could come from your murderer.",
"http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"CLOUDFLARENET - 104.16.148.244 , 104.19.148.244",
"https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"direwolf-8b1a1bc476.staging.herokuappdev.com",
"Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download",
"http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/",
"Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx",
"*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok",
"http://help.aiseesoft.jp/blu-ray-player",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP",
"appspot.com \u2022 hyper7install.appspot.com",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png",
"http://p2d.josht.ca/assets/content-delivery/depots/download",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"According to accounts she was afraid for her life , found to be safe then took her own life?",
"Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
"Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor",
"https://clockoutbox.es/password",
"http://www.google.com-viruswall1-source-cloud-computing-services-distribution.cpdev.dyson.cn/",
"search.roi.ros.gov.uk",
"cedevice.io \u2022 decagonsoftware.com",
"https://mobile-pocket-guide.centurylinktechnology.com",
"Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"Pornhub to your phone. Dumping or by request?",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"https://palapa.c.id\t (c.id)",
"inst.govelopscold.com",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"1.bing.com.cn",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"162.159.134.42 \u2022 https://cellebrite.com/",
"7box.vip",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"and our limited information, is Daisy a victim or a crisis actor?",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"https://310940000.android.com.twitter.android.adsenseformobileapps.com/",
"FireEye was there in 2 year old pulse now removed? I\u2019ll find it.",
"apple.com-verify.account.manage.test2.aptaforum.com.cn",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"us-gov-west-1.gov.reveal-global.com",
"Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com",
"IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122",
"apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn",
"Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A",
"https://www.google.com/search",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm",
"okg.and.googletagmanagers.com",
"Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
"IDS Detections Gh0stCringe CnC Activity M2",
"http://help.aiseesoft.jp/total-video-converter",
"api.acumatica.flex.redteam.com",
"https://prod.centurylinktechnology.com",
"bzx.and.googletagmanagers.com",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"DoD Network Information Center (DNIC)",
"116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com",
"ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/",
"http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/",
"https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls",
"biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com",
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
"(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html",
"Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"https://brand2.centurylinktechnology.com",
"https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39",
"http://help.aiseesoft.jp/total-video-converter/",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010",
"(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.",
"Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
"KeenDNS | keendnsaclremote805717135272048.qeenetic.link",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.",
"Changed last several digits of gmail account # In example",
"Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)",
"Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http",
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"pcup.gov.ph:",
"findmy.apple-uk.live",
"asp.net domain pointer",
"https://www.endgamesystems.com/",
"https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
"http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
"Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit",
"hallplan.vm05.iveins.de",
"Alerts: network_cnc_http network_http packer_unknown_pe_section_name",
"pgj.and.googletagmanagers.com",
"https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05",
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/",
"IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden",
"http://console.cloud.google.com/appengine"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)",
"COINBASECARTEL"
],
"malware_families": [
"Unix.dropper.mirai-7135858-0",
"Win32:malob-bx",
"Win.dropper.njrat-10015886-0",
"Cymt",
"Win.trojan.fugrafa-9733007-0",
"Code virus ransomware",
"Win32:dh-a\\",
"Win.malware.flystudio-6738927-0",
"Virtool:msil/covent.a",
"Win.packed.bladabindi-6872770-0",
"Worm:win32/lightmoon.h",
"Avast- win32:filecoder-ad\\ [trj]",
"Win32:dh-a\\ [win32:fileinfector-c\\ [heur]",
"Tulach",
"Ransomware",
"Alf:jasyp:trojan:win32/ircbot!atmn",
"Win32/madang",
"Win.packed.fecn-7077459-0",
"Virus:win32/sality.at",
"Win32/scrarev.c",
"Ransomware/win.stop.r4529",
"Pegasus",
"Trojan:win32/smkldr.h!mtb",
"Win64:expiro-aj\\ [inf]",
"Trojan:o97m/madeba.a!det",
"Alf:exploit:win32/gsharedinforef.a",
"Tsunami-6981155-0",
"Unix.trojan.tsunami-6981155-0",
"Unix.trojan.darknexus-7679166-0",
"Trojan:msil/ranos.a",
"Mirai",
"Hacktool:msil/boilod.c!bit",
"Wannacry",
"Ransom:win32/crowti.a",
"Win.packed.msilperseus-9956592-0",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Win32:malware-gen",
"Win32/backdoorx",
"Win.malware.generic-9871124-0",
"#virtool:win32/obfuscator",
"Trojandownloader:win32/upatre.aa",
"Tofsee",
"Exploit:win32/cve-2017-0147.a",
"Win.trojan.application-1955.",
"Ransom:win32/wannacrypt.h",
"Trojan:msil/clipbanker.gc!mtb",
"Win.malware.incredimail-6804483-0",
"!themida",
"Alf:spikeaexr.pevpopc",
"Win.malware.speedcat-6957425",
"Ms defender - trojandownloader:win32/dalexis!rfn!rfn",
"Win32:evo-gen\\ [trj]",
"Tofsee attack",
"Win.trojan.vbgeneric-6989114-0",
"Alf:hacktool:msil/heartsender.a",
"Trojan:win32/danabot",
"Virtool:msil/covent",
"Kelihos",
"#lowfi:hstr:msil/obfuscator.deepsea",
"Other malware",
"Win32:salicode",
"Trojan.tofsee/botx",
"Cve-2025-11727",
"Trojan:win32/aptdrop.ru",
"Win32:trojanx-gen\\ [trj]",
"Win.trojan.agent",
"Sf:wncryldr-a\\ [trj]",
"Win32:trojan-gen",
"Cve-2017-0147",
"Exploit:js/cve-2014-0322",
"Doc.downloader.emotetred02220-9938909-0",
"Virtool:win32/obfuscator.k",
"Trojandownloader:win32/cutwail.bs",
"Win32:banker-laa\\ [trj]",
"Win64:trojanx",
"Trojan:msil/rapidstealer.a",
"Trojandropper:win32/vb.il",
"Trojan:win32/pynamer!rfn",
"Backdoor:msil/bladabindi.ap",
"Alf:backdoor:msil/noancooe.",
"Etpro",
"Virtool:win32/injector.bo",
"Trojan:win32/zusy",
"Trojan:win32/emotet.pc!mtb",
"Win.malware.snojan-6775202-0",
"Win32:malware",
"Win.trojan.gh0strat-9955419-1",
"Virtool:win32/vbinder.co",
"Pws:win32/axespec.a",
"Et",
"Zbot",
"Win.packed.generic-9795615-0",
"Mydoom",
"Virtool:win32/vbinject.ya!mtb",
"Backdoor:win32/small.ir",
"Trojan/js.redirector.qno",
"Trojan:win32/tiggre!rfn",
"Win.packed.marsilia-10021147-0",
"Crypt3.bxvc",
"Alf:trojan:win64/psbanker",
"#lowfihstr:msil/confuser",
"Icedid",
"Win.downloader.small-1966",
"Msil:agent-dq\\ [trj]",
"#lowfi:lua:dllsuspiciousexport.a",
"Win.ransomware.wannacry-6313787-0",
"A variant of win32/kryptik.deoa",
"Ransom:win32/cve-2017-0147.a",
"Backdoor:linux/demonbot",
"Worm:win32/autorun!atmn",
"Trojan:win32/magania.dsk!mtb",
"Backdoor:win32/tofsee.t",
"Clamav - win.malware.cabby-6803812",
"Win.trojan.dialog-9873788-0",
"Win.trojan.generic-6417450-0"
],
"industries": [
"Telecommunications",
"Education",
"Telecom",
"Journalists",
"Civil society",
"Insurance",
"Legal",
"Civilian",
"Government",
"Healthcare",
"Technology"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 26,
"pulses": [
{
"id": "69ddeb45c45f6a3cd721397d",
"name": "Active attacks \u2022 Apple \u2022 Tulach",
"description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious",
"modified": "2026-04-14T07:22:45.250000",
"created": "2026-04-14T07:22:45.250000",
"tags": [
"url http",
"ipv4",
"indicator role",
"active related",
"united",
"moved",
"gmt content",
"certificate",
"all domain",
"msie",
"chrome",
"extraction",
"data upload",
"twitter",
"cookie",
"extra",
"include data",
"review locs",
"exclude",
"suggested os",
"onlv",
"failed",
"stop data",
"read c",
"unicode",
"rgba",
"memcommit",
"delete",
"dock",
"write",
"execution",
"sc type",
"extri",
"include review",
"exclude sugges",
"typ data",
"a domains",
"present apr",
"script urls",
"files",
"files ip",
"address",
"ios",
"mac",
"apple",
"appleid",
"itunes",
"next associated",
"all ipv4",
"included ic",
"uny teade",
"type hostnar",
"hostnar hostnar",
"hostnar",
"macair",
"macairaustralia",
"ipad",
"ipod",
"cryptexportkey",
"invalid pointer",
"cryptgenkey",
"stream",
"defender",
"delphi",
"class",
"stack",
"format",
"unknown",
"united states",
"phishing",
"password",
"traffic redirected",
"service mod",
"service execution",
"youtube",
"music",
"streams",
"songs",
"played songs",
"music streams",
"most played",
"fonelab",
"indicator",
"included iocs",
"manually add",
"review ocs",
"exclude inn",
"sugges data",
"find",
"include",
"url https",
"enter sc",
"type",
"no matchme",
"search otx",
"https",
"references x",
"analyze",
"open th",
"url data",
"se http",
"no match",
"excluded iocs",
"iocs",
"ip whitelisted",
"whitelisted",
"tcp include",
"analysis date",
"file score",
"medium risk",
"yara detections",
"contacted",
"related tags",
"x vercel",
"file type",
"type indicator",
"role title",
"related pulses",
"mulch virtua",
"library loade",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugt",
"samuel tulach",
"unity engine",
"tulach",
"sa awareness",
"sabey",
"sar cut",
"autofill",
"includer review",
"portiana oney",
"targeting",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"musickit_1_.js",
"lazarus",
"injection",
"CVE-2017-8570",
"prefetch2",
"target",
"aaaa",
"ip address",
"record value",
"emails",
"samuel tuachs",
"sapev",
"review exclude",
"monitored target",
"script",
"mitre att",
"ascii text",
"span",
"path",
"iframe",
"april",
"hybrid",
"general",
"local",
"click",
"strings",
"body",
"development att",
"t1055.012 list planting",
"active"
],
"references": [
"https://trade.kraken.com/charts/KRAKEN:APT-USD>+y",
"https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/",
"https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/",
"https://podcasts.apple.com/us/podcast/lazarus",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://help.aiseesoft.jp/blu-ray-player",
"http://help.aiseesoft.jp/fonelab/",
"https://action.aiseesoft.jp/itunes.php",
"http://help.aiseesoft.jp/total-video-converter",
"http://help.aiseesoft.jp/total-video-converter/",
"http://help.aiseesoft.jp/video-converter-ultimate/",
"http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/",
"http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch",
"http://test-firstmile.digitecgalaxus.ch",
"https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/",
"No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]",
"cdn.rss.applemarketingtools.com",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"1.bing.com.cn",
"www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net",
"www.phantomcameras.cn",
"https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"",
"podcasts.apple.com \u2022 23.34.32.21",
"www.apple.com \u2022 23.34.32.199",
"js-cdn.music.apple.com \u2022 23.78.51.170",
"http://firstmile.digitecgalaxus.ch",
"Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb",
"Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca",
"Tulach.cc",
"https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8",
"www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019",
"https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json",
"https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as",
"Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains",
"asp.net domain pointer",
"developer.x.com",
"aotx.alienvault.com (aotx.?)",
"https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh",
"https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1020.001",
"name": "Traffic Duplication",
"display_name": "T1020.001 - Traffic Duplication"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591.002",
"name": "Business Relationships",
"display_name": "T1591.002 - Business Relationships"
},
{
"id": "T1591.001",
"name": "Determine Physical Locations",
"display_name": "T1591.001 - Determine Physical Locations"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1029,
"domain": 396,
"email": 7,
"URL": 2784,
"FileHash-SHA256": 898,
"FileHash-MD5": 79,
"FileHash-SHA1": 68,
"IPv4": 35,
"CVE": 1,
"SSLCertFingerprint": 13
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69dc04c12782d2d76c111a93",
"name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked",
"description": "",
"modified": "2026-04-12T20:46:57.338000",
"created": "2026-04-12T20:46:57.338000",
"tags": [
"indicator role",
"active related",
"ck ids",
"files",
"information",
"discovery",
"mitre att",
"pattern match",
"ck id",
"ck matrix",
"ascii text",
"united",
"binary file",
"april",
"hybrid",
"apikey",
"general",
"local",
"path",
"iframe",
"click",
"protocol",
"learn",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"related pulses",
"dll read",
"function read",
"icmp traffic",
"machineguid",
"systembiosdate",
"total",
"read",
"write",
"network_icmp",
"js_eval",
"recon_fingerprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"tls handshake",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"neue",
"certificate",
"error",
"scans show",
"record value",
"title site",
"servers",
"emails",
"all hostname",
"dnsadmin",
"data upload",
"extraction",
"failed",
"include review",
"exclude sugges",
"find s",
"typ no",
"active",
"urls",
"ip address",
"asn as54113",
"registrar",
"wscript",
"united states",
"stcalifornia",
"lmountain view",
"ogoogle llc",
"ogoogle trust",
"cngts ca",
"whitelisted",
"as15169",
"hostile",
"crash",
"contacted",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections alf",
"hostile yara",
"detections none",
"less ip",
"domains",
"ms windows",
"intel",
"pe32",
"regsetvalueexa",
"langturkish",
"sublangdefault",
"port",
"destination",
"entries",
"worm",
"delphi",
"win32",
"body",
"explorer",
"defender",
"regdword",
"false",
"true",
"end sub",
"object",
"createobject",
"sheetschanged",
"private sub",
"string",
"boolean",
"cancel",
"trojan",
"copy",
"query",
"dns update",
"useragent",
"myapp",
"delphi alerts",
"alerts deadhost",
"women who code",
"tulach",
"114.114.114.114",
"samuel",
"brian sabey"
],
"references": [
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"this.target",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"authrootstl.cab common file extension",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"https://securityaffairs.com/144927/cyber-crime~#",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"https://clockoutbox.es/password",
"http://cr-malware.testpanw.com/url",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"114.114.114.114 = Tulach"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:Trojan:Win64/PsBanker",
"display_name": "ALF:Trojan:Win64/PsBanker",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Trojan:O97M/Madeba.A!det",
"display_name": "Trojan:O97M/Madeba.A!det",
"target": "/malware/Trojan:O97M/Madeba.A!det"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1114,
"hostname": 594,
"domain": 200,
"FileHash-SHA256": 2379,
"FileHash-MD5": 426,
"FileHash-SHA1": 259,
"IPv4": 322,
"SSLCertFingerprint": 24,
"email": 2,
"IPv6": 1
},
"indicator_count": 5321,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "6 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d3843cba399db62eeae702",
"name": "CAPE Sandbox - Stalking",
"description": "A full report on the latest Android operating system: PK.3.4.5.1 (c) on 1 January, 2026, to be published by the Google Research Institute (GRI).",
"modified": "2026-04-06T10:18:23.324000",
"created": "2026-04-06T10:00:28.397000",
"tags": [
"renewed",
"8gbram",
"windows10",
"19inlcdmonitor",
"desktop pc",
"package",
"intel core",
"hard drive",
"dvdrw",
"wifi",
"title",
"blink",
"date",
"meta",
"elite",
"body",
"https",
"mitre attack",
"network info",
"tls version",
"united",
"overview",
"zenbox android",
"verdict",
"guest system",
"ultimate file",
"fraud",
"cloud",
"next",
"program",
"processes extra",
"overview zenbox",
"info file",
"file type",
"default",
"parent pid",
"full path",
"command line",
"registry keys",
"commands c",
"k dcomlaunch",
"files c",
"devicecng c",
"read registry"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/2533042959ad1fe050d14ab7536126910a2d240992bff397640382472b6a7c69_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469608&Signature=fK1I2%2FxXVm0l3ZiELwtstes8iVN402Ww%2By%2BgvxYOB0LiC2iO3J9cedWJk1hMIr4IfLSGKprfui8vANzR%2BkWfSd594S%2FFe9A59YKyOA2MFmQTBRXVy6O3xF1e1lPETp5Md%2FbGJCOzrZxdHyReyuk7cgdDDBAewptjJhfTYxql7F9X%2FB4qe9BYWPrvned2fFWfU%2F4G%2F4UBqY9Jj%2BG1CTP%2FaGqOdWFs0Q5cPYZ4bytp",
"https://vtbehaviour.commondatastorage.googleapis.com/6c39ae0368703f254070a0648c0066115140c3e762d9bf5b52833a037a1e3743_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469752&Signature=Df%2Bamm33qFPdsDg6nWC5FQjse7h4fksSXqONp4nMEItb0gpBwqx66TqcCnFzQplUk6ExMge79qNZR2OElv63sX54D4fSGwI9nvHYhQoiVdZIgf4ct8dIAr%2BYO9jSx0WpPUVFsvf%2FXtXvm6jM5n5v7CGiyFRyAz8PES5g%2FcOlLt%2BDhsc8bhi%2FMU9mAkyyr5nFVPcTmUSHOTNXOeKDUlyRkQE6b9FEbFhUL1h3%2B%2FBVtysh",
"https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469810&Signature=Mj5ODxCW7tD5UNn6P11Ta7F2cmDLSJuEB7JSLFg%2FERfANmnRR5L7XzDwXxI5G48vkQFx0%2FBMtjMLwWHn6ZHKlt13rfzkvoOu5fJ%2Fb5lMJqUp1rSQIG0JLL80QAnXyJf2W8pL7MvK97Tr4jsCIUfd8ezliJtV5SmahV6Q8lYu2KJUnANrHkA10RFrcT4O26Vk7gbDsuC7caDXC6U9KXTTB0cpC77%2FV7w86ftN2JPXx6oEHUvSj02qsvhKwKQvmM",
"https://vtbehaviour.commondatastorage.googleapis.com/5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775469831&Signature=ZlRZLvCaJ%2F9niupu9DFCvXvfgFpDEOsK%2FsH46CB2zEVUDjcQRNMDp9XXKKx0dekmHQbhl02yqygHPOA8Wty5duGtK216QCvKNkYpbpdOjN7xgAg3AsldciWbqeJr8N4I%2F1%2FPRSdVfB%2BNGaBJKxZG1RQkX206MSvX%2BeY%2FdeEYpq3NYdrPWlxdV0pa3yaqcMrf2s%2FCFSM%2FdO3xt5PKyXWG%2FDCNM5iiuXh8OT2ckhZhf%"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1409",
"name": "Access Stored Application Data",
"display_name": "T1409 - Access Stored Application Data"
},
{
"id": "T1421",
"name": "System Network Connections Discovery",
"display_name": "T1421 - System Network Connections Discovery"
},
{
"id": "T1422",
"name": "System Network Configuration Discovery",
"display_name": "T1422 - System Network Configuration Discovery"
},
{
"id": "T1426",
"name": "System Information Discovery",
"display_name": "T1426 - System Information Discovery"
},
{
"id": "T1430",
"name": "Location Tracking",
"display_name": "T1430 - Location Tracking"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 182,
"FileHash-MD5": 781,
"FileHash-SHA1": 509,
"FileHash-SHA256": 539,
"URL": 387,
"hostname": 361,
"domain": 100,
"CIDR": 1,
"email": 1
},
"indicator_count": 2861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a1a73eb0578b92962dae97",
"name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?",
"description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit",
"modified": "2026-03-29T13:04:34.750000",
"created": "2026-02-27T14:16:30.498000",
"tags": [
"regopenkeyexw",
"port",
"destination",
"cryptexportkey",
"search",
"show",
"entries",
"windows nt",
"regsetvalueexa",
"ip address",
"malware",
"copy",
"write",
"win32",
"next",
"format",
"contacted",
"less ip",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"date",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"february",
"failed",
"enter",
"data upload",
"passive dns",
"urls",
"aaaa",
"certificate",
"otx logo",
"all hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"title",
"body",
"encrypt",
"netherlands",
"gmt content",
"all ipv4",
"amsterdam",
"hetzner online",
"gmbh",
"summary",
"url age",
"de seen",
"general info",
"geo germany",
"as as24940",
"de note",
"route",
"direct",
"pro platform",
"logs",
"suricata alert",
"et info",
"tls handshake",
"bad traffic",
"suricata alerts",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"size",
"sha256",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"path",
"unknown",
"stop",
"root",
"hybrid",
"general",
"local",
"form",
"click",
"strings",
"9999",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"command",
"defense evasion",
"spawns",
"found",
"show technique",
"ck matrix",
"href",
"antivirus",
"maktub locker",
"tor status",
"check"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1129,
"domain": 148,
"hostname": 753,
"FileHash-SHA256": 548,
"FileHash-MD5": 90,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 8,
"CIDR": 1,
"email": 4
},
"indicator_count": 2752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "20 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69c06ca9341d6c063f652e33",
"name": "ETERNALBLUE Probe MS17-010 | Wannacry Ransomware Domain - related to NSO Group Pegasus",
"description": "Quasi governmental, Healthcare Law Firms , legal entities , as well as direct safety threats such as NSO Group Pegasus, Enterprise Cellebrite (in references) and other dangerous intimidation and life endangering tactics directed against a crime victim. Continuous harassment and threats of violence against victims family including 83 yo father. Veteran & hand picked Sr Systems Analyst and Engineer for Aegis Weapon System Team of 24. You\u2019re welcome America.. Victim left zero evidence with family. Documents shredded. Data stolen by parties named. She isn\u2019t the only one. These people do this for a living. Abuse of Palantir & Foundry tools.",
"modified": "2026-03-22T22:26:49.205000",
"created": "2026-03-22T22:26:49.205000",
"tags": [
"ransomware",
"united",
"search",
"asnone",
"regsetvalueexa",
"service",
"regdword",
"medium",
"get na",
"malware",
"dock",
"push",
"write",
"win32",
"playgame",
"unknown",
"exploit",
"cve",
"wncry",
"wannacry",
"passive dns",
"urls",
"british virgin",
"all url",
"http",
"ip address",
"related nids",
"files location",
"virgin islands",
"islands",
"bgp",
"virgin islands",
"hijacked",
"data upload",
"extraction",
"failed",
"review iocs",
"include ovo",
"tovary review",
"ids detec",
"yara dete",
"trior texarag",
"drop or",
"rrowse",
"type",
"extra data",
"hurricane electric",
"p2404",
"p11629470400",
"p11629107633",
"artifacts v",
"full reports",
"v help",
"info",
"low l",
"high ta0002",
"techniques",
"t1053",
"command",
"scripting inte",
"low ta0003",
"techniques high",
"t1053 ite",
"modify system",
"pl t1543",
"boot",
"logon autostart",
"ex t1547",
"checks-disk-space",
"checks-network-adapters",
"detect-debug-environment",
"direct-cpu-clock-access",
"long-sleeps",
"runtime-modules",
"get http",
"head http",
"dns resolutions",
"ip traffic",
"53 tcp",
"tls sni",
"apple id",
"webdisk",
"expiration",
"url http",
"hostname",
"no expiration",
"iocs",
"url https",
"es included",
"win32 exe",
"pe32 executable",
"ms windows",
"intel",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1204 user",
"defense evasion",
"over",
"mitre att",
"ck matrix",
"ascii text",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"javascript",
"ssl certificate",
"encrypt",
"accept",
"russia unknown",
"meta",
"record value",
"aaaa",
"link",
"present jun",
"apple",
"remote access",
"otx logo",
"all ipv4",
"url analysis",
"files",
"accept ch",
"present dec",
"content type",
"x pcrew",
"name servers",
"present may",
"body doctype",
"title",
"all domain",
"servers",
"china unknown",
"found content",
"gmt p3p",
"cp oti",
"dsp cor",
"iva our",
"ind com",
"domain",
"cname",
"entries",
"brian sabey",
"hallrender",
"christopher ahmann",
"t1480 execution",
"discovery att",
"heur",
"virtool",
"win64",
"mtb win32",
"backdoor",
"location china",
"hangzhou",
"china asn",
"ransom",
"wannadecryptor",
"filehash",
"yara detections",
"msvisualcpp60",
"related tags",
"none file",
"type pexe",
"copy",
"beginstring",
"null",
"refresh",
"body",
"span",
"error",
"tools",
"look",
"verify",
"restart",
"expl",
"unknown cname",
"hacktool",
"domain address",
"contacted hosts",
"process details",
"flag",
"ipv4 add",
"location united",
"america flag",
"exploit",
"show",
"all filehash",
"expiration date",
"gmt location",
"gmt max",
"domain add",
"elite",
"date",
"cowboy",
"United States",
"present feb",
"present oct",
"creation date",
"present nov",
"moved",
"emails"
],
"references": [
"http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/",
"Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS",
"IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden",
"Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor",
"Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx",
"Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad",
"Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file",
"Alerts: creates_service stealth_window antivm_network_adapters checks_debugger",
"Alerts: peid_packer pe_unknown_resource_name",
"IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122",
"IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com",
"Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com",
"FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7",
"Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)",
"Crowdsourced IDS: Matches rule MALWARE-CNC DNS",
"Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)",
"Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP",
"apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn",
"apple.com-verify.account.manage.test2.aptaforum.com.cn",
"appleid.apple.com-signin-8491e.test2.aptaforum.com.cn",
"appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn",
"web-secure-appleid-login.com.test2.aptaforum.com.cn",
"http://apple.com-verify.account.manage.test2.aptaforum.com.cn/",
"http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/",
"http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/",
"findmy.apple-uk.live",
"apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/",
"http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/",
"http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/",
"http://web-secure-appleid-login.com.test2.aptaforum.com.cn/",
"Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc",
"VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc",
"https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc",
"https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39",
"KeenDNS | keendnsaclremote805717135272048.qeenetic.link",
"https://fonts.googleapis.com/css",
"http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/",
"Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless",
"www.remoteaccess.allied-media.com",
"apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn",
"aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd",
"Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com",
"*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok",
"dns17.hichina.com",
"dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)",
"Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.",
"https://otx.alienvault.com/indicator/domain/qeenetic.link",
"okg.and.googletagmanagers.com",
"pcy.and.googletagmanagers.com",
"pgj.and.googletagmanagers.com",
"prb.and.googletagmanagers.com",
"lkp.and.googletagmanagers.com",
"jgw.and.googletagmanagers.com",
"bzx.and.googletagmanagers.com",
"msedge.b.tlu.dl.delivery.mp.microsoft.com",
"http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/",
"HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related",
"TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render",
"https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699",
"https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c",
"https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38",
"(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html",
"https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c",
"https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Win.Ransomware.WannaCry-6313787-0",
"display_name": "Win.Ransomware.WannaCry-6313787-0",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147.A",
"display_name": "Exploit:Win32/CVE-2017-0147.A",
"target": "/malware/Exploit:Win32/CVE-2017-0147.A"
},
{
"id": "Trojan/JS.Redirector.QNO",
"display_name": "Trojan/JS.Redirector.QNO",
"target": null
},
{
"id": "Win.Trojan.Application-1955.",
"display_name": "Win.Trojan.Application-1955.",
"target": null
},
{
"id": "Win32:Banker-LAA\\ [Trj]",
"display_name": "Win32:Banker-LAA\\ [Trj]",
"target": null
},
{
"id": "Win.Malware.Snojan-6775202-0",
"display_name": "Win.Malware.Snojan-6775202-0",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Trj]",
"display_name": "Win32:Evo-gen\\ [Trj]",
"target": null
},
{
"id": "Win64:Expiro-AJ\\ [Inf]",
"display_name": "Win64:Expiro-AJ\\ [Inf]",
"target": null
},
{
"id": "Win.Trojan.Fugrafa-9733007-0",
"display_name": "Win.Trojan.Fugrafa-9733007-0",
"target": null
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6989114-0",
"display_name": "Win.Trojan.VBGeneric-6989114-0",
"target": null
},
{
"id": "VirTool:Win32/VBInject.YA!MTB",
"display_name": "VirTool:Win32/VBInject.YA!MTB",
"target": "/malware/VirTool:Win32/VBInject.YA!MTB"
},
{
"id": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]",
"display_name": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator",
"display_name": "#VirTool:Win32/Obfuscator",
"target": "/malware/#VirTool:Win32/Obfuscator"
},
{
"id": "Backdoor:Win32/Small.IR",
"display_name": "Backdoor:Win32/Small.IR",
"target": "/malware/Backdoor:Win32/Small.IR"
},
{
"id": "Win64:Expiro-AJ\\ [Inf]",
"display_name": "Win64:Expiro-AJ\\ [Inf]",
"target": null
},
{
"id": "Win32:Dh-A\\",
"display_name": "Win32:Dh-A\\",
"target": null
},
{
"id": "CVE-2017-0147",
"display_name": "CVE-2017-0147",
"target": null
},
{
"id": "Ransom:Win32/CVE-2017-0147.A",
"display_name": "Ransom:Win32/CVE-2017-0147.A",
"target": "/malware/Ransom:Win32/CVE-2017-0147.A"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win.Malware.Flystudio-6738927-0",
"display_name": "Win.Malware.Flystudio-6738927-0",
"target": null
},
{
"id": "ALF:SpikeAexR.PEVPOPC",
"display_name": "ALF:SpikeAexR.PEVPOPC",
"target": null
},
{
"id": "Sf:WNCryLdr-A\\ [Trj]",
"display_name": "Sf:WNCryLdr-A\\ [Trj]",
"target": null
},
{
"id": "Win.Ransomware.WannaCry-6313787-0",
"display_name": "Win.Ransomware.WannaCry-6313787-0",
"target": null
},
{
"id": "ransom:Win32/WannaCrypt.H",
"display_name": "ransom:Win32/WannaCrypt.H",
"target": "/malware/ransom:Win32/WannaCrypt.H"
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1198",
"name": "SIP and Trust Provider Hijacking",
"display_name": "T1198 - SIP and Trust Provider Hijacking"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1543.001",
"name": "Launch Agent",
"display_name": "T1543.001 - Launch Agent"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
}
],
"industries": [
"Government",
"Legal",
"Technology",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3779,
"FileHash-MD5": 422,
"FileHash-SHA1": 411,
"FileHash-SHA256": 1824,
"IPv4": 666,
"domain": 979,
"hostname": 2082,
"CVE": 1,
"BitcoinAddress": 3,
"SSLCertFingerprint": 6,
"email": 8
},
"indicator_count": 10181,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "27 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b7cb05b2098c1d2bf20f",
"name": "federal goverment clone cellbrite credit q vashti",
"description": "",
"modified": "2026-03-12T12:55:39.046000",
"created": "2026-03-12T12:55:39.046000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": "696f7d467763ed4d4e74d133",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "37 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "697cdce9ec418c422eee2054",
"name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019",
"description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.",
"modified": "2026-03-01T16:05:57.375000",
"created": "2026-01-30T16:31:37.011000",
"tags": [
"url https",
"url http",
"tlsv1",
"whitelisted",
"united",
"read c",
"as15169",
"stcalifornia",
"execution",
"dock",
"write",
"persistence",
"malware",
"encrypt",
"active",
"lumen technologies",
"number",
"error",
"regexp",
"sxa0",
"amptoken",
"optout",
"retrieving",
"notfound",
"unknown",
"form",
"flash",
"backdoor",
"writeconsolew",
"yara detections",
"command line",
"pdb path",
"pe resource",
"internalname",
"windows command",
"A",
"aws",
"name servers",
"url analysis",
"passive dns",
"urls",
"data upload",
"extraction",
"palantir",
"c2",
"aerospace",
"tracking",
"spywatchdog",
"palapa-c2",
"communications satellite",
"amazon",
"hughesnet",
"icmp traffic",
"washington c",
"washington ou",
"mopr",
"mon jul",
"local",
"dynamic",
"apple",
"network",
"t1057",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1480",
"guardrails",
"t1566",
"present jan",
"unknown ns",
"ip address",
"dnssec",
"domain",
"dynamic dns",
"government",
"pcup",
"germany unknown",
"link",
"dns hosting",
"cloudns",
"cloud dns",
"a domains",
"ipv4 add",
"title",
"meta",
"class",
"servers",
"present aug",
"aaaa",
"present sep",
"present nov",
"present jul",
"present may",
"moved",
"canada unknown",
"begin",
"record value",
"gmt content",
"type",
"hostname add",
"files",
"ascii text",
"pattern match",
"href",
"mitre att",
"ck id",
"ck matrix",
"network traffic",
"et info",
"general",
"path",
"click",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"adversaries",
"input url",
"defense evasion",
"france",
"ireland",
"netherlands",
"denmark",
"united kingdom",
"type indicator",
"role title",
"added active",
"savvis",
"centurylinktechnology",
"hybrid analysis",
"monitoring tools",
"monitored target",
"triangulation",
"worm",
"intel",
"ms windows",
"pe32",
"write c",
"delete c",
"show",
"russia as47764",
"unix",
"lsan jose",
"odigicert inc",
"markus",
"url add",
"http",
"related nids",
"files location",
"russia flag",
"russia hostname",
"russia",
"russia unknown",
"hosting",
"federation flag",
"body",
"gmt vary",
"accept encoding",
"gmt cache",
"certificate",
"pulse submit",
"unknown aaaa",
"search",
"entries",
"script domains",
"script urls",
"pdx cf"
],
"references": [
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"Yare: compromised_site_redirector_fromcharcode",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"Tipped: A targets AI and other cyber research findings.",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"https://palapa.c.id\t (c.id)",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"cedevice.io \u2022 decagonsoftware.com",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"pcup.gov.ph:",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"https://elegantcosmedampyeah.pages.dev/",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"inst.govelopscold.com",
"https://feedback.ptv.vic.gov.au/360",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"https://brand.centurylinktechnology.com",
"https://prod.centurylinktechnology.com",
"https://brand2.centurylinktechnology.com",
"https://mobile-pocket-guide.centurylinktechnology.com",
"UPX_OEP_place",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"ASP. NET",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"7box.vip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan.Tofsee/Botx",
"display_name": "Trojan.Tofsee/Botx",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "PWS:Win32/Axespec.A",
"display_name": "PWS:Win32/Axespec.A",
"target": "/malware/PWS:Win32/Axespec.A"
},
{
"id": "Worm:Win32/Lightmoon.H",
"display_name": "Worm:Win32/Lightmoon.H",
"target": "/malware/Worm:Win32/Lightmoon.H"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1439",
"name": "Eavesdrop on Insecure Network Communication",
"display_name": "T1439 - Eavesdrop on Insecure Network Communication"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1069.003",
"name": "Cloud Groups",
"display_name": "T1069.003 - Cloud Groups"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 102,
"FileHash-SHA1": 59,
"FileHash-SHA256": 1929,
"domain": 854,
"hostname": 2156,
"URL": 4475,
"SSLCertFingerprint": 9,
"email": 7,
"CVE": 1
},
"indicator_count": 9592,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "48 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696f7d467763ed4d4e74d133",
"name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login",
"description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.",
"modified": "2026-02-19T12:05:47.166000",
"created": "2026-01-20T13:04:06.622000",
"tags": [
"url https",
"url http",
"germany",
"united",
"ukraine",
"japan",
"extraction",
"data upload",
"urls",
"url analysis",
"enter sc",
"extr",
"iocs",
"active",
"france unknown",
"present jan",
"servers",
"homair sweet",
"grabber",
"encrypt",
"ipv4",
"role title",
"divx",
"pitfall",
"internet",
"ip role",
"america asn",
"extraction data",
"leveibielabs",
"all se",
"enter source",
"url or",
"texirag",
"drop",
"present nov",
"united states",
"america",
"levdibidelabs",
"failed",
"idron anv",
"include manualv",
"review data",
"iterng",
"name servers",
"passive dns",
"incapsula",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"script head",
"request",
"cookie",
"indicator",
"msie",
"chrome",
"backdoor",
"gmt content",
"ipv4 add",
"twitter",
"title",
"process32nextw",
"ms windows",
"intel",
"pe32",
"regopenkeyexa",
"read c",
"medium",
"class",
"write",
"template",
"present oct",
"present jul",
"aaaa",
"present sep",
"present aug",
"url add",
"http",
"hostname",
"related tags",
"kx81xdbx0f",
"x86xd3",
"xa7xe28x06",
"x82xd4",
"delete c",
"regsetvalueexa",
"regbinary",
"xa1xf1",
"xe8xc2x14",
"malware",
"stream",
"unknown",
"win32",
"persistence",
"execution",
"push",
"present dec",
"italy",
"present jun",
"embeddedwb",
"whitelisted",
"windows nt",
"dns traffic",
"russia",
"cname",
"accept",
"destination",
"port",
"et smtp",
"message",
"et trojan",
"components",
"suspicious",
"download",
"hostile",
"next",
"logic",
"gather victim",
"et info",
"etpro trojan",
"trojan",
"report spam",
"interesting",
"created",
"pegasus",
"manipulation",
"service",
"capture",
"et",
"etpro",
"host",
"attack",
"mtb description",
"windows",
"shellexecuteexw",
"writeconsolew",
"registry",
"t1031",
"modify existing",
"dock",
"type indicator",
"added active",
"related pulses",
"arcflex",
"filehashsha1",
"types of",
"learn more",
"filehashsha256",
"cellebrite",
"white label",
"search",
"sha1",
"france",
"cmanual jan",
"expiration date",
"domain add",
"pulse submit",
"files",
"ip address",
"gmt cache",
"sameorigin",
"reverse dns",
"unknown ns",
"admin org",
"zipcode",
"gmt server",
"pulse pulses",
"entries",
"hostname add",
"verdict",
"germany unknown",
"status",
"domain",
"xpirat",
"netherlands",
"netherlands asn",
"as35280 acorus",
"dns resolutions",
"error",
"files ip",
"copy",
"telnet login",
"suspicious path",
"busybox",
"login attempt",
"gpl telnet",
"high",
"tcp syn",
"telnet root",
"path",
"mirai",
"emails",
"domain name",
"jlu11q",
"tqbplo",
"hours ago",
"found",
"yahoo",
"gmail",
"yandex",
"https://cellebrite.com/en/federal-government/",
"monitoring",
"monitored target",
"dangerous",
"spyware",
"80211",
"colorado",
"x amz",
"government",
"mirai login attempt",
"emotet",
"c2",
".ru",
".com",
"denver",
"indicator role",
"title added",
"active related",
"pulses hostname",
"dead connect",
"hostile",
"adversarial",
"abuse",
"criminal intent",
"block messages",
"botnet"
],
"references": [
"fastwebnet.it | Cellebrite White Label Spyware Service",
"putrhnwl.exe",
"Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut",
"Alerts: exe_appdata injection_process_search privilege_luid_check process_interest",
"Alerts: queries_programs antivm_queries_computername antivm_memory_available",
"IP\u2019s Contacted : 54.230.129.165",
"Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com",
"Domains Contacted: pitfall.divx.com www.google.com",
"RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Yara: Detections Tofsee",
"Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey",
"Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername",
"https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966",
"FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,",
"DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe",
"ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116",
"ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116",
"ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101",
"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238",
"ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108",
"ET TROJAN Suspicious double Server Header",
"ET DNS DNS Query to a .tk domain - Likey",
"ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101",
"Needs to be sorted. Actively being exploited on US",
"162.159.134.42 \u2022 https://cellebrite.com/",
"https://cellebrite.com/en/federal-government/",
"moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in",
"skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au",
"http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com",
"applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33",
"mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my",
"http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Germany",
"Ireland",
"Switzerland",
"Poland",
"Belgium",
"Netherlands",
"Sweden"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Trojan:Win32/Emotet.PC!MTB",
"display_name": "Trojan:Win32/Emotet.PC!MTB",
"target": "/malware/Trojan:Win32/Emotet.PC!MTB"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Aptdrop.RU",
"display_name": "Trojan:Win32/Aptdrop.RU",
"target": "/malware/Trojan:Win32/Aptdrop.RU"
},
{
"id": "Ransomware/Win.Stop.R4529",
"display_name": "Ransomware/Win.Stop.R4529",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32/BackdoorX",
"display_name": "Win32/BackdoorX",
"target": null
},
{
"id": "Win.Trojan.Dialog-9873788-0",
"display_name": "Win.Trojan.Dialog-9873788-0",
"target": null
},
{
"id": "Tsunami-6981155-0",
"display_name": "Tsunami-6981155-0",
"target": null
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Backdoor:Linux/DemonBot",
"display_name": "Backdoor:Linux/DemonBot",
"target": "/malware/Backdoor:Linux/DemonBot"
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1196",
"name": "Control Panel Items",
"display_name": "T1196 - Control Panel Items"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1505",
"name": "Server Software Component",
"display_name": "T1505 - Server Software Component"
},
{
"id": "T1556",
"name": "Modify Authentication Process",
"display_name": "T1556 - Modify Authentication Process"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1581",
"name": "Geofencing",
"display_name": "T1581 - Geofencing"
},
{
"id": "T1582",
"name": "SMS Control",
"display_name": "T1582 - SMS Control"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1587",
"name": "Develop Capabilities",
"display_name": "T1587 - Develop Capabilities"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Journalists",
"Government",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4994,
"domain": 2519,
"hostname": 3281,
"FileHash-SHA256": 4467,
"FileHash-MD5": 1118,
"FileHash-SHA1": 1056,
"email": 12,
"SSLCertFingerprint": 1
},
"indicator_count": 17448,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "58 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "anderscloud.eus",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "anderscloud.eus",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776596866.4965942
}