{ "type": "Domain", "indicator": "androidx.media", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/androidx.media", "alexa": "http://www.alexa.com/siteinfo/androidx.media", "indicator": "androidx.media", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3103492527, "indicator": "androidx.media", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69f066fc4532f3cdb1c4496c", "name": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer", "description": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer.\nArin has assigned client who does not hold an aws account a server that is unsigned and expired (potentially) leaving amazon vulnerable. Rec: watch ai \"facts\" \"do you want to know\" and alexa skills for potential exploitation due to degrading systems which are not a company reflection rather an epic IP server and certificate failure worldwide, mostly United though. Attached are known and public sourcee APK Base IOCs.", "modified": "2026-05-29T00:06:38.152000", "created": "2026-04-28T07:51:24.539000", "tags": [ "date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "amazon", "net3128001", "net3168001" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 521, "FileHash-SHA1": 400, "FileHash-SHA256": 2258, "domain": 128, "hostname": 221, "CIDR": 3, "URL": 266 }, "indicator_count": 3797, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69898b686bf6ae5a053884de", "name": "02.08.26 #SparkRat #sparkrat", "description": "The full list of names, phrases and symbols for the Android app, compiled by the 2d4c4842ef7a7009f65a5ac8763feb535dc0bc4bb4521b26e01c3686cf2dbfd4\nandroid_agent_comodo.apk\n02.08.26 #SparkRat #sparkrat\n\n**Victim Device - this is their MDR [ want to burn device with fire ]. Victim casually connects to AHS/Cov Health, U of A, Gov of AB. Doesn't want to report to Law Enforcement as haven't had success with RCMP/EPS/CrimeStoppers.", "modified": "2026-03-11T07:01:21.026000", "created": "2026-02-09T07:23:20.587000", "tags": [ "hehehe", "entity", "please", "javascript", "version", "no meaningful", "file list", "size first", "blab", "version text", "license text", "ip address", "ip adresses", "domain list", "url list", "status http", "SparkRat", "sparkrat", "Comodo" ], "references": [ "https://www.virustotal.com/graph/embed/gcbfd106383f24ab0a964d2dda9a2224cb1ecacd1285a494fac2e6d15c3a1b67f?theme=dark", "https://www.virustotal.com/gui/collection/7a12aeb8c48f73c63e328385690292f64f464cad68727670382e452913810a29/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Technology", "Telecommunications", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 35, "FileHash-SHA1": 35, "FileHash-SHA256": 289, "domain": 18, "hostname": 15, "CIDR": 12, "URL": 6 }, "indicator_count": 410, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61e7bcf3f4a7e99b8c944196", "name": "NewDom-0-20220119", "description": "ICANN-Dom", "modified": "2022-03-05T00:01:03.599000", "created": "2022-01-19T07:25:39.512000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://www.virustotal.com/graph/embed/gcbfd106383f24ab0a964d2dda9a2224cb1ecacd1285a494fac2e6d15c3a1b67f?theme=dark", "https://www.virustotal.com/gui/collection/7a12aeb8c48f73c63e328385690292f64f464cad68727670382e452913810a29/iocs" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Technology", "Government", "Healthcare", "Telecommunications", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69f066fc4532f3cdb1c4496c", "name": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer", "description": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer.\nArin has assigned client who does not hold an aws account a server that is unsigned and expired (potentially) leaving amazon vulnerable. Rec: watch ai \"facts\" \"do you want to know\" and alexa skills for potential exploitation due to degrading systems which are not a company reflection rather an epic IP server and certificate failure worldwide, mostly United though. Attached are known and public sourcee APK Base IOCs.", "modified": "2026-05-29T00:06:38.152000", "created": "2026-04-28T07:51:24.539000", "tags": [ "date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "amazon", "net3128001", "net3168001" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 521, "FileHash-SHA1": 400, "FileHash-SHA256": 2258, "domain": 128, "hostname": 221, "CIDR": 3, "URL": 266 }, "indicator_count": 3797, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69898b686bf6ae5a053884de", "name": "02.08.26 #SparkRat #sparkrat", "description": "The full list of names, phrases and symbols for the Android app, compiled by the 2d4c4842ef7a7009f65a5ac8763feb535dc0bc4bb4521b26e01c3686cf2dbfd4\nandroid_agent_comodo.apk\n02.08.26 #SparkRat #sparkrat\n\n**Victim Device - this is their MDR [ want to burn device with fire ]. Victim casually connects to AHS/Cov Health, U of A, Gov of AB. Doesn't want to report to Law Enforcement as haven't had success with RCMP/EPS/CrimeStoppers.", "modified": "2026-03-11T07:01:21.026000", "created": "2026-02-09T07:23:20.587000", "tags": [ "hehehe", "entity", "please", "javascript", "version", "no meaningful", "file list", "size first", "blab", "version text", "license text", "ip address", "ip adresses", "domain list", "url list", "status http", "SparkRat", "sparkrat", "Comodo" ], "references": [ "https://www.virustotal.com/graph/embed/gcbfd106383f24ab0a964d2dda9a2224cb1ecacd1285a494fac2e6d15c3a1b67f?theme=dark", "https://www.virustotal.com/gui/collection/7a12aeb8c48f73c63e328385690292f64f464cad68727670382e452913810a29/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Technology", "Telecommunications", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 35, "FileHash-SHA1": 35, "FileHash-SHA256": 289, "domain": 18, "hostname": 15, "CIDR": 12, "URL": 6 }, "indicator_count": 410, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61e7bcf3f4a7e99b8c944196", "name": "NewDom-0-20220119", "description": "ICANN-Dom", "modified": "2022-03-05T00:01:03.599000", "created": "2022-01-19T07:25:39.512000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "androidx.media", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "androidx.media", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780280254.2707815 }