{ "type": "Domain", "indicator": "antespam.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/antespam.com", "alexa": "http://www.alexa.com/siteinfo/antespam.com", "indicator": "antespam.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2131409072, "indicator": "antespam.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7241a63b7527ac2b04d60", "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]", "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]", "modified": "2026-04-14T18:06:37.524000", "created": "2026-03-15T21:26:50.218000", "tags": [ "man software", "destination", "port", "united", "delete", "read c", "virustotal", "patched3_c.akrv", "armadillov171", "dod", "thinkman", "win32", "trojan", "present mar", "backdoor", "urls", "files", "unknown", "search", "china as23724", "asnone", "artemis", "zeppelin", "drweb", "vipre", "panda", "malware", "suspicious", "cloud", "logic", "et trojan", "et info", "download", "windows", "embeddedwb", "shellexecuteexw", "msie", "windows nt", "writeconsolew", "displayname", "service", "ids detections", "yara detections", "crypt", "medium", "whitelisted", "passive dns", "worm", "mtb may", "mtb aug", "otx logo", "all ipv4", "pulse pulses", "dynamicloader", "yara rule", "ff d5", "high", "reg add", "regsz d", "write", "file type", "pexe", "pe32", "intel", "ms windows", "pe packer", "pm size", "pehash", "richhash", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "over", "sha256", "sha1", "ascii text", "size", "mitre att", "pattern match", "null", "span", "error", "body", "hybrid", "general", "local", "path", "click", "strings", "refresh", "tools", "title", "show technique", "look", "verify", "restart", "t1480 execution", "navy", "reputation", "adult content", "cyber warfare" ], "references": [ "AVDetections: Patched3_c.AKRV", "Yara Detections: Armadillov171", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Email: d4@thinkman.com", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "ASN AS27064 dod network information center", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: stealth_window packer_entropy uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "Yara Detections: MS_Visual_Basic_6_0", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "mailbox.co.za", "fmx32.aig.com \u2022 167.230.105.81", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Patched3_c.AKRV", "display_name": "Patched3_c.AKRV", "target": null }, { "id": "Win32:Agent-ALXE\\ [Rtk]", "display_name": "Win32:Agent-ALXE\\ [Rtk]", "target": null }, { "id": "Win.Trojan.Rootkit-4668", "display_name": "Win.Trojan.Rootkit-4668", "target": null }, { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Crypt3.CHZW", "display_name": "Crypt3.CHZW", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Crypt3.BOQD\t\t Inject2.BHBW", "display_name": "Crypt3.BOQD\t\t Inject2.BHBW", "target": null }, { "id": "Crypt3.BMVU", "display_name": "Crypt3.BMVU", "target": null }, { "id": "Trojan.DownLoader12.43161", "display_name": "Trojan.DownLoader12.43161", "target": null }, { "id": "HEUR/UnSec", "display_name": "HEUR/UnSec", "target": null }, { "id": "ET Trojan", "display_name": "ET Trojan", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "TrojanDownloader:Win32/Umbald.A", "display_name": "TrojanDownloader:Win32/Umbald.A", "target": "/malware/TrojanDownloader:Win32/Umbald.A" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Military", "Defense", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 165, "FileHash-SHA1": 165, "FileHash-SHA256": 3524, "URL": 11424, "email": 1, "hostname": 3954, "domain": 2523 }, "indicator_count": 21756, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ed3405846f76971a60822c", "name": "216.106.44.52 Socket telecom", "description": "Trojans, mailserver? Local isp communicating files, AV wont upload refderring file hashes", "modified": "2023-10-02T01:05:49.285000", "created": "2023-08-28T23:55:49.286000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Hell-On-A-Stick", "id": "186907", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "domain": 72, "hostname": 28, "URL": 6, "URI": 9 }, "indicator_count": 331, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "972 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "mailbox.co.za", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "Yara Detections: MS_Visual_Basic_6_0", "Yara Detections: Armadillov171", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "ASN AS27064 dod network information center", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "fmx32.aig.com \u2022 167.230.105.81", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "Alerts: stealth_window packer_entropy uses_windows_utilities", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "AVDetections: Patched3_c.AKRV", "Alerts: console_output antivm_memory_available pe_features", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Email: d4@thinkman.com", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win32:trojan-gen", "Crypt3.boqd\t\t inject2.bhbw", "Win.trojan.rootkit-4668", "Backdoor:win32/tofsee.t", "Trojan:win32/tiggre!rfn", "Trojan.downloader12.43161", "Inject2.bive", "Heur/unsec", "Crypt3.bxmj", "Win32:agent-alxe\\ [rtk]", "Win32:malware-gen", "Crypt3.bmvu", "Et trojan", "Trojandownloader:win32/umbald.a", "Crypt3.bxvc", "Patched3_c.akrv", "Crypt3.chzw" ], "industries": [ "Government", "Insurance", "Defense", "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7241a63b7527ac2b04d60", "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]", "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]", "modified": "2026-04-14T18:06:37.524000", "created": "2026-03-15T21:26:50.218000", "tags": [ "man software", "destination", "port", "united", "delete", "read c", "virustotal", "patched3_c.akrv", "armadillov171", "dod", "thinkman", "win32", "trojan", "present mar", "backdoor", "urls", "files", "unknown", "search", "china as23724", "asnone", "artemis", "zeppelin", "drweb", "vipre", "panda", "malware", "suspicious", "cloud", "logic", "et trojan", "et info", "download", "windows", "embeddedwb", "shellexecuteexw", "msie", "windows nt", "writeconsolew", "displayname", "service", "ids detections", "yara detections", "crypt", "medium", "whitelisted", "passive dns", "worm", "mtb may", "mtb aug", "otx logo", "all ipv4", "pulse pulses", "dynamicloader", "yara rule", "ff d5", "high", "reg add", "regsz d", "write", "file type", "pexe", "pe32", "intel", "ms windows", "pe packer", "pm size", "pehash", "richhash", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "over", "sha256", "sha1", "ascii text", "size", "mitre att", "pattern match", "null", "span", "error", "body", "hybrid", "general", "local", "path", "click", "strings", "refresh", "tools", "title", "show technique", "look", "verify", "restart", "t1480 execution", "navy", "reputation", "adult content", "cyber warfare" ], "references": [ "AVDetections: Patched3_c.AKRV", "Yara Detections: Armadillov171", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Email: d4@thinkman.com", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "ASN AS27064 dod network information center", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: stealth_window packer_entropy uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "Yara Detections: MS_Visual_Basic_6_0", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "mailbox.co.za", "fmx32.aig.com \u2022 167.230.105.81", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Patched3_c.AKRV", "display_name": "Patched3_c.AKRV", "target": null }, { "id": "Win32:Agent-ALXE\\ [Rtk]", "display_name": "Win32:Agent-ALXE\\ [Rtk]", "target": null }, { "id": "Win.Trojan.Rootkit-4668", "display_name": "Win.Trojan.Rootkit-4668", "target": null }, { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Crypt3.CHZW", "display_name": "Crypt3.CHZW", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Crypt3.BOQD\t\t Inject2.BHBW", "display_name": "Crypt3.BOQD\t\t Inject2.BHBW", "target": null }, { "id": "Crypt3.BMVU", "display_name": "Crypt3.BMVU", "target": null }, { "id": "Trojan.DownLoader12.43161", "display_name": "Trojan.DownLoader12.43161", "target": null }, { "id": "HEUR/UnSec", "display_name": "HEUR/UnSec", "target": null }, { "id": "ET Trojan", "display_name": "ET Trojan", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "TrojanDownloader:Win32/Umbald.A", "display_name": "TrojanDownloader:Win32/Umbald.A", "target": "/malware/TrojanDownloader:Win32/Umbald.A" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Military", "Defense", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 165, "FileHash-SHA1": 165, "FileHash-SHA256": 3524, "URL": 11424, "email": 1, "hostname": 3954, "domain": 2523 }, "indicator_count": 21756, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ed3405846f76971a60822c", "name": "216.106.44.52 Socket telecom", "description": "Trojans, mailserver? Local isp communicating files, AV wont upload refderring file hashes", "modified": "2023-10-02T01:05:49.285000", "created": "2023-08-28T23:55:49.286000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Hell-On-A-Stick", "id": "186907", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "domain": 72, "hostname": 28, "URL": 6, "URI": 9 }, "indicator_count": 331, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "972 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "antespam.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "antespam.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780214704.1441185 }