{ "type": "Domain", "indicator": "applebugbounty.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/applebugbounty.com", "alexa": "http://www.alexa.com/siteinfo/applebugbounty.com", "indicator": "applebugbounty.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4204100963, "indicator": "applebugbounty.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69aeda93ec05fb8653adca6d", "name": "clone of my pulse. this dmv kit pdfkit.net used the same off logo kit it was one of the few i found in their fcc application . rpi&macids look for", "description": "", "modified": "2026-04-08T00:00:45.252000", "created": "2026-03-09T14:34:59.072000", "tags": [ "pfft.net" ], "references": [ "" ], "public": 1, "adversary": "pi, pdfkit.net", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "698c75717175e2cc7ff33df2", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 551, "domain": 638, "CVE": 114, "hostname": 449, "email": 28, "FileHash-MD5": 145, "FileHash-SHA1": 188, "FileHash-SHA256": 132, "Mutex": 1 }, "indicator_count": 2246, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c3273517158869e0ba780", "name": "Reputation Shielded C2 Pivot; High-Churn Wix Infrastructure with iCloud Exfil Adjacency", "description": "Researcher Note (Feb 11, 2026) IPv4 185.230.61.96 (AS58182 \u2013 Wix.com Ltd.), resolving to unalocated.61.wixsite.com, demonstrates indicators consistent with structured abuse of shared SaaS hosting for command-and-control operations. Passive DNS telemetry reflects 500+ historical domain bindings across 52 TLDs, suggesting deliberate namespace dispersion and rotational overlay management rather than static tenancy. Network detections include repeated FormBook HTTP GET check-ins, Pushdo loader beacon cadence, and Windows Network Diagnostics user-agent spoofing, collectively aligning with controlled tasking infrastructure. Associated artifacts (11/50 AV detections) cluster around credential-stealer and loader families, including FormBook and GandCrab lineage components. The behavioral profile supports assessment of reputation parasitism\u2014leveraging trusted hosting to inherit platform trust and evade domain-based enforcement controls. Confidence: Moderate-High. MITRE: T1071.001, T1105, T1036.", "modified": "2026-03-29T00:29:26.398000", "created": "2026-02-11T07:40:32.757000", "tags": [], "references": [], "public": 1, "adversary": "Tier-1 SaaS Reputation Parasitism Leveraging Wix Infrastructure", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 265, "domain": 294, "URL": 331, "email": 12, "CVE": 61, "FileHash-MD5": 73, "FileHash-SHA1": 64, "FileHash-SHA256": 74 }, "indicator_count": 1174, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6988faa4f668aeeed6f86da8", "name": "zero trust", "description": "researcher credit: msudoSOS : CLBCatQ.DLL\tThe malware is hijacking your COM+ Class Catalog to hide as a System Service.\nCoMarshalInterface\tYour identity is being \"packaged\" and sent via the LTE Trial to the '' Edge.\npid 2356 / 2812\tThese are the active processes currently communicating with the 49.12.22.106 C2 server.", "modified": "2026-03-27T09:05:26.285000", "created": "2026-02-08T21:05:37.829000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/C2Lop", "display_name": "ALF:HeraklezEval:Trojan:Win32/C2Lop", "target": null }, { "id": "#LowFi:HSTR:PyInstaller_Packaged_Script", "display_name": "#LowFi:HSTR:PyInstaller_Packaged_Script", "target": null }, { "id": "#Exploit:Win32/BlofeldsCat", "display_name": "#Exploit:Win32/BlofeldsCat", "target": "/malware/#Exploit:Win32/BlofeldsCat" }, { "id": "TEL:Exploit:HTML/PSWebkit", "display_name": "TEL:Exploit:HTML/PSWebkit", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 394, "hostname": 250, "CVE": 112, "URL": 190, "email": 25, "JA3": 1, "FileHash-MD5": 191, "FileHash-SHA1": 214, "FileHash-SHA256": 607 }, "indicator_count": 1984, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698904c316bc7710b967d01d", "name": "Rare Tier 1 Persistence - Critical \"Patched\", Non Patched Vulnerabilities Remain bypassing Lockdown Mode", "description": "Researcher Note (Feb 08, 2026):\nThis artifact represents a sophisticated Cross-Protocol Mesh. Observations confirm that the Cymt/Nemucod wrapper is being utilized as a delivery vehicle for a Firmware-resident ELF binary (Mirai variant).\nThe persistence is notable for its ability to survive Full DFU Restores and Faraday-isolated states, likely due to JTAG-level interaction with the Power Management IC (Chip 4799). This is not a standard opportunistic infection; it is a targeted provisioning event leveraging IDMSA (Identity Management) bridges and Verizon/Akamai Edge infrastructure.\nThe integration with CalendarKit and Maps for geofenced execution suggests a highly coordinated surveillance objective. Forensic analysts should pay specific attention to the sizeofrawdata_antidbg anomalies, which indicate a focus on bypassing Apple Lockdown Mode and Secure Enclave. \nresearcher credit: msudoSOS", "modified": "2026-03-27T09:05:26.285000", "created": "2026-02-08T21:48:49.147000", "tags": [ "#supportsitewebsiteabuse #rootcertificatefailure #cryptographicf" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 909, "URL": 1779, "CVE": 126, "domain": 659, "email": 23, "JA3": 1, "FileHash-MD5": 230, "FileHash-SHA1": 227, "FileHash-SHA256": 934, "CIDR": 13 }, "indicator_count": 4901, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698910e3f78fe72e45c8e068", "name": "hostasa.org", "description": "Correlated activity identified with hostasa.org (IP: 34.41.139.193). Indicators suggest an MSI-based Malspam vector initiated on May 4, 2025. Artifacts utilize HWRN nameservers for resilient command-and-control, bridging ASP.NET reflective loaders to the Verizon LTE/Baseband layer. Domain is currently tagged for SpyNoon and ClipBanker exfiltration", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-08T22:40:32.430000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 80, "URL": 141, "domain": 348, "hostname": 234, "email": 18, "JA3": 1, "FileHash-MD5": 10, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 845, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698918baac756a084ef67089", "name": "151.101.0.22", "description": "151.101.0.22", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-08T23:13:59.775000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 317, "domain": 494, "URL": 286, "CVE": 78, "email": 33, "JA3": 1, "FileHash-MD5": 10, "FileHash-SHA1": 4, "FileHash-SHA256": 2 }, "indicator_count": 1225, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c75717175e2cc7ff33df2", "name": "103.203.175.90 - Document and Domain Research Intersect, PDFKIT.NET DMV", "description": "http://103.203.175.90:81/fdScript/RootOfEBooks/E%20Book%20collection%20-%202024%20-%20D/CSE%20%20IT%20AIDS%20ML/Raspberry%20Pi%20linux-@Computer_IT_Engineering.pdf\n103.203.175.90", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-11T12:26:20.490000", "tags": [ "pfft.net" ], "references": [ "" ], "public": 1, "adversary": "pi, pdfkit.net", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 550, "domain": 638, "CVE": 113, "hostname": 445, "email": 28, "FileHash-MD5": 145, "FileHash-SHA1": 136, "FileHash-SHA256": 132, "Mutex": 1 }, "indicator_count": 2188, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "as15169" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Tier-1 SaaS Reputation Parasitism Leveraging Wix Infrastructure", "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "pi, pdfkit.net" ], "malware_families": [ "#exploit:win32/blofeldscat", "#lowfi:hstr:pyinstaller_packaged_script", "Alf:heraklezeval:trojan:win32/c2lop", "Tel:exploit:html/pswebkit" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69aeda93ec05fb8653adca6d", "name": "clone of my pulse. this dmv kit pdfkit.net used the same off logo kit it was one of the few i found in their fcc application . rpi&macids look for", "description": "", "modified": "2026-04-08T00:00:45.252000", "created": "2026-03-09T14:34:59.072000", "tags": [ "pfft.net" ], "references": [ "" ], "public": 1, "adversary": "pi, pdfkit.net", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "698c75717175e2cc7ff33df2", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 551, "domain": 638, "CVE": 114, "hostname": 449, "email": 28, "FileHash-MD5": 145, "FileHash-SHA1": 188, "FileHash-SHA256": 132, "Mutex": 1 }, "indicator_count": 2246, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c3273517158869e0ba780", "name": "Reputation Shielded C2 Pivot; High-Churn Wix Infrastructure with iCloud Exfil Adjacency", "description": "Researcher Note (Feb 11, 2026) IPv4 185.230.61.96 (AS58182 \u2013 Wix.com Ltd.), resolving to unalocated.61.wixsite.com, demonstrates indicators consistent with structured abuse of shared SaaS hosting for command-and-control operations. Passive DNS telemetry reflects 500+ historical domain bindings across 52 TLDs, suggesting deliberate namespace dispersion and rotational overlay management rather than static tenancy. Network detections include repeated FormBook HTTP GET check-ins, Pushdo loader beacon cadence, and Windows Network Diagnostics user-agent spoofing, collectively aligning with controlled tasking infrastructure. Associated artifacts (11/50 AV detections) cluster around credential-stealer and loader families, including FormBook and GandCrab lineage components. The behavioral profile supports assessment of reputation parasitism\u2014leveraging trusted hosting to inherit platform trust and evade domain-based enforcement controls. Confidence: Moderate-High. MITRE: T1071.001, T1105, T1036.", "modified": "2026-03-29T00:29:26.398000", "created": "2026-02-11T07:40:32.757000", "tags": [], "references": [], "public": 1, "adversary": "Tier-1 SaaS Reputation Parasitism Leveraging Wix Infrastructure", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 265, "domain": 294, "URL": 331, "email": 12, "CVE": 61, "FileHash-MD5": 73, "FileHash-SHA1": 64, "FileHash-SHA256": 74 }, "indicator_count": 1174, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6988faa4f668aeeed6f86da8", "name": "zero trust", "description": "researcher credit: msudoSOS : CLBCatQ.DLL\tThe malware is hijacking your COM+ Class Catalog to hide as a System Service.\nCoMarshalInterface\tYour identity is being \"packaged\" and sent via the LTE Trial to the '' Edge.\npid 2356 / 2812\tThese are the active processes currently communicating with the 49.12.22.106 C2 server.", "modified": "2026-03-27T09:05:26.285000", "created": "2026-02-08T21:05:37.829000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/C2Lop", "display_name": "ALF:HeraklezEval:Trojan:Win32/C2Lop", "target": null }, { "id": "#LowFi:HSTR:PyInstaller_Packaged_Script", "display_name": "#LowFi:HSTR:PyInstaller_Packaged_Script", "target": null }, { "id": "#Exploit:Win32/BlofeldsCat", "display_name": "#Exploit:Win32/BlofeldsCat", "target": "/malware/#Exploit:Win32/BlofeldsCat" }, { "id": "TEL:Exploit:HTML/PSWebkit", "display_name": "TEL:Exploit:HTML/PSWebkit", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 394, "hostname": 250, "CVE": 112, "URL": 190, "email": 25, "JA3": 1, "FileHash-MD5": 191, "FileHash-SHA1": 214, "FileHash-SHA256": 607 }, "indicator_count": 1984, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698904c316bc7710b967d01d", "name": "Rare Tier 1 Persistence - Critical \"Patched\", Non Patched Vulnerabilities Remain bypassing Lockdown Mode", "description": "Researcher Note (Feb 08, 2026):\nThis artifact represents a sophisticated Cross-Protocol Mesh. Observations confirm that the Cymt/Nemucod wrapper is being utilized as a delivery vehicle for a Firmware-resident ELF binary (Mirai variant).\nThe persistence is notable for its ability to survive Full DFU Restores and Faraday-isolated states, likely due to JTAG-level interaction with the Power Management IC (Chip 4799). This is not a standard opportunistic infection; it is a targeted provisioning event leveraging IDMSA (Identity Management) bridges and Verizon/Akamai Edge infrastructure.\nThe integration with CalendarKit and Maps for geofenced execution suggests a highly coordinated surveillance objective. Forensic analysts should pay specific attention to the sizeofrawdata_antidbg anomalies, which indicate a focus on bypassing Apple Lockdown Mode and Secure Enclave. \nresearcher credit: msudoSOS", "modified": "2026-03-27T09:05:26.285000", "created": "2026-02-08T21:48:49.147000", "tags": [ "#supportsitewebsiteabuse #rootcertificatefailure #cryptographicf" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 909, "URL": 1779, "CVE": 126, "domain": 659, "email": 23, "JA3": 1, "FileHash-MD5": 230, "FileHash-SHA1": 227, "FileHash-SHA256": 934, "CIDR": 13 }, "indicator_count": 4901, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698910e3f78fe72e45c8e068", "name": "hostasa.org", "description": "Correlated activity identified with hostasa.org (IP: 34.41.139.193). Indicators suggest an MSI-based Malspam vector initiated on May 4, 2025. Artifacts utilize HWRN nameservers for resilient command-and-control, bridging ASP.NET reflective loaders to the Verizon LTE/Baseband layer. Domain is currently tagged for SpyNoon and ClipBanker exfiltration", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-08T22:40:32.430000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 80, "URL": 141, "domain": 348, "hostname": 234, "email": 18, "JA3": 1, "FileHash-MD5": 10, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 845, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698918baac756a084ef67089", "name": "151.101.0.22", "description": "151.101.0.22", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-08T23:13:59.775000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 317, "domain": 494, "URL": 286, "CVE": 78, "email": 33, "JA3": 1, "FileHash-MD5": 10, "FileHash-SHA1": 4, "FileHash-SHA256": 2 }, "indicator_count": 1225, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c75717175e2cc7ff33df2", "name": "103.203.175.90 - Document and Domain Research Intersect, PDFKIT.NET DMV", "description": "http://103.203.175.90:81/fdScript/RootOfEBooks/E%20Book%20collection%20-%202024%20-%20D/CSE%20%20IT%20AIDS%20ML/Raspberry%20Pi%20linux-@Computer_IT_Engineering.pdf\n103.203.175.90", "modified": "2026-03-27T00:30:39.055000", "created": "2026-02-11T12:26:20.490000", "tags": [ "pfft.net" ], "references": [ "" ], "public": 1, "adversary": "pi, pdfkit.net", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 550, "domain": 638, "CVE": 113, "hostname": 445, "email": 28, "FileHash-MD5": 145, "FileHash-SHA1": 136, "FileHash-SHA256": 132, "Mutex": 1 }, "indicator_count": 2188, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "applebugbounty.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "applebugbounty.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780511303.2150304 }