{
  "type": "Domain",
  "indicator": "appspot.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/appspot.com",
    "alexa": "http://www.alexa.com/siteinfo/appspot.com",
    "indicator": "appspot.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "majestic",
        "message": "Whitelisted domain appspot.com",
        "name": "Whitelisted domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain appspot.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 330995,
      "indicator": "appspot.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 50,
      "pulses": [
        {
          "id": "69a02837827feb0b78fa3ad2",
          "name": "The Belasco Chain",
          "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.",
          "modified": "2026-05-31T01:02:14",
          "created": "2026-02-26T11:02:15.932000",
          "tags": [
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "file type",
            "sha1",
            "sha256",
            "crc32",
            "filenames c"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 2,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 2813,
            "FileHash-SHA1": 2576,
            "FileHash-SHA256": 8145,
            "domain": 1903,
            "hostname": 1502,
            "URL": 1359,
            "email": 46,
            "CVE": 54,
            "CIDR": 3,
            "YARA": 7,
            "JA3": 1,
            "IPv4": 11
          },
          "indicator_count": 18420,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 74,
          "modified_text": "8 hours ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f30ef4033560d49d39ac55",
          "name": "VirusTotal report\n                    for executable.exe",
          "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
          "modified": "2026-05-30T09:04:01.553000",
          "created": "2026-04-30T08:12:36.771000",
          "tags": [
            "wifi password",
            "joe security",
            "nextron",
            "new run",
            "key pointing",
            "run key",
            "roth",
            "markus neis",
            "sander wiebing",
            "poudel",
            "public",
            "appdata"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1069,
            "FileHash-SHA1": 868,
            "FileHash-SHA256": 2783,
            "URL": 764,
            "hostname": 756,
            "domain": 293,
            "email": 44,
            "CVE": 44
          },
          "indicator_count": 6621,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f2dc7e076cbfe2d0f7eb90",
          "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
          "description": "",
          "modified": "2026-05-30T00:28:12.957000",
          "created": "2026-04-30T04:37:18.870000",
          "tags": [
            "united",
            "as397240",
            "search",
            "showing",
            "as54113",
            "as397241",
            "unknown",
            "moved",
            "creation date",
            "record value",
            "next",
            "date",
            "body",
            "a domains",
            "passive dns",
            "formbook cnc",
            "checkin",
            "entries",
            "github pages",
            "sea x",
            "accept",
            "status",
            "name servers",
            "certificate",
            "urls",
            "aaaa",
            "cname",
            "meta",
            "whitelisted ip",
            "address",
            "location united",
            "asn as36459",
            "github",
            "less whois",
            "registrar",
            "markmonitor",
            "related tags",
            "as36459",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "files",
            "ninite",
            "expiration date",
            "domain",
            "hostname",
            "sha256",
            "sha1",
            "ascii text",
            "pattern match",
            "document file",
            "v2 document",
            "utf8",
            "crlf line",
            "beginstring",
            "size",
            "null",
            "hybrid",
            "refresh",
            "span",
            "local",
            "click",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "contact",
            "url https",
            "tulach type",
            "role title",
            "added active",
            "pulses url",
            "url http",
            "nextc type",
            "type indicator",
            "related pulses",
            "filehashsha256",
            "copyright",
            "ipv6",
            "germany",
            "italy",
            "trojan",
            "trojanspy",
            "worm",
            "trojanclicker",
            "virtool",
            "service",
            "linux x8664",
            "khtml",
            "gecko",
            "veryhigh",
            "redirect",
            "httpsupgrades",
            "collisionbox",
            "runner",
            "gameoverpanel",
            "trex",
            "orgtechhandle",
            "orgtechref",
            "director",
            "university",
            "nethandle",
            "net168",
            "net1680000",
            "ucha",
            "orgid",
            "east",
            "report spam",
            "as8075",
            "servers",
            "secure server",
            "error all",
            "typeof",
            "error f",
            "crazy doll",
            "created",
            "filehashmd5",
            "types of",
            "russia",
            "emotet type",
            "mirai type",
            "mirai",
            "mtb description",
            "win32 type",
            "as31034 aruba",
            "italy unknown",
            "as19527 google",
            "encrypt",
            "health type",
            "miori hackers",
            "brute force",
            "backdoor",
            "aurora",
            "ip address",
            "path",
            "unis",
            "dotcisoffer",
            "bladabindi",
            "artro",
            "script urls",
            "as46606",
            "brazil unknown",
            "as11284",
            "as10906",
            "apache",
            "lanc type",
            "telper",
            "win32",
            "win64",
            "pulses email",
            "as9009 m247",
            "as7296 alchemy",
            "as14061",
            "as16276",
            "trojandropper",
            "ransom",
            "mtb sep",
            "msie",
            "chrome",
            "ip check",
            "gmt content",
            "pulse submit",
            "url analysis",
            "files ip",
            "aaaa nxdomain",
            "nxdomain",
            "a nxdomain",
            "as22612",
            "dnssec",
            "meta http",
            "accept encoding",
            "request id",
            "united kingdom",
            "div div",
            "arial helvetica",
            "emails",
            "as15169 google",
            "cryp",
            "gmt cache",
            "sameorigin",
            "domain name",
            "code",
            "false",
            "command type",
            "roleselfservice",
            "mcig sep",
            "all search",
            "author avatar",
            "days ago",
            "http",
            "related nids",
            "files location",
            "as30081",
            "gmt contenttype",
            "mozilla",
            "as15133 verizon",
            "whitelisted",
            "meta name",
            "robots content",
            "x ua",
            "ieedge chrome1",
            "incapsula",
            "request",
            "softcnapp",
            "overview ip",
            "flag united",
            "files related",
            "as62597 nsone",
            "as31898 oracle",
            "mtb aug",
            "class",
            "twitter",
            "april",
            "secure",
            "httponly",
            "expiresthu",
            "pragma",
            "as13414 twitter",
            "smoke loader",
            "reverse dns",
            "asnone united",
            "idlogin sep",
            "uid38009",
            "expiration",
            "hack type",
            "porn type"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Italy",
            "Aruba"
          ],
          "malware_families": [
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66fc29a49b5ac693c8d75122",
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3851,
            "FileHash-MD5": 6012,
            "FileHash-SHA1": 5906,
            "domain": 3330,
            "email": 33,
            "hostname": 4231,
            "CVE": 2,
            "FileHash-SHA256": 8407,
            "CIDR": 2,
            "SSLCertFingerprint": 7
          },
          "indicator_count": 31781,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a100da2ce3632643bb34072",
          "name": "Research part 4 * CAPE Sandbox",
          "description": "undefined.",
          "modified": "2026-05-24T05:56:20.777000",
          "created": "2026-05-22T08:02:42.736000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 102,
            "FileHash-MD5": 27,
            "FileHash-SHA1": 3,
            "FileHash-SHA256": 1,
            "URL": 244,
            "domain": 203,
            "hostname": 137,
            "IPv6": 179,
            "email": 10
          },
          "indicator_count": 906,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "7 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69eae966e2994ca9410416e7",
          "name": "CAPE Sandbox - Watson",
          "description": "[full list of details about Akamai, the web hosting company, that has been abused on the internet for more than 20 years.. and the names of its users have been published.] pretext. Watson frequents. wizard8.",
          "modified": "2026-05-24T05:16:16.520000",
          "created": "2026-04-24T03:54:14.835000",
          "tags": [
            "akamai",
            "city",
            "noc united",
            "orgid",
            "akamai ref",
            "net23",
            "net230000",
            "cidr",
            "orgabusehandle",
            "orgtechhandle"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1406",
              "name": "Obfuscated Files or Information",
              "display_name": "T1406 - Obfuscated Files or Information"
            },
            {
              "id": "T1409",
              "name": "Access Stored Application Data",
              "display_name": "T1409 - Access Stored Application Data"
            },
            {
              "id": "T1421",
              "name": "System Network Connections Discovery",
              "display_name": "T1421 - System Network Connections Discovery"
            },
            {
              "id": "T1424",
              "name": "Process Discovery",
              "display_name": "T1424 - Process Discovery"
            },
            {
              "id": "T1426",
              "name": "System Information Discovery",
              "display_name": "T1426 - System Information Discovery"
            },
            {
              "id": "T1430",
              "name": "Location Tracking",
              "display_name": "T1430 - Location Tracking"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 382,
            "FileHash-SHA1": 361,
            "FileHash-SHA256": 1250,
            "URL": 1436,
            "domain": 425,
            "hostname": 783,
            "CIDR": 1,
            "email": 29,
            "CVE": 1,
            "URI": 2
          },
          "indicator_count": 4670,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "7 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a126fcffc60a71dfab01f24",
          "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
          "description": "",
          "modified": "2026-05-24T03:32:22.109000",
          "created": "2026-05-24T03:26:07.144000",
          "tags": [
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "expired",
            "acceptencoding",
            "html info",
            "title home",
            "tags viewport",
            "trackers google",
            "tag manager",
            "gsddf3d2bzf",
            "historical ssl",
            "referrer",
            "december",
            "formbook",
            "round",
            "apple ios",
            "tsara brashears",
            "unlocker",
            "collection",
            "vt graph",
            "socgholish",
            "blister",
            "hacktool",
            "hiddentear",
            "gootloader",
            "agent tesla",
            "crypto",
            "installer",
            "life",
            "malware",
            "open",
            "korplug",
            "tofsee",
            "date",
            "name servers",
            "status",
            "passive dns",
            "urls",
            "scan endpoints",
            "all scoreblue",
            "pulse submit",
            "url analysis",
            "files",
            "no data",
            "tag count",
            "analyzer threat",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "samples",
            "detection list",
            "heur",
            "cisco umbrella",
            "alexa top",
            "million",
            "site",
            "alexa",
            "maltiverse",
            "xcnfe",
            "safe site",
            "phishing",
            "remcos",
            "malicious",
            "miner",
            "bank",
            "agenttesla",
            "agent",
            "unknown",
            "downloader",
            "unsafe",
            "trojan",
            "detplock",
            "artemis",
            "networm",
            "win64",
            "redline stealer",
            "limerat",
            "venom rat",
            "trojanspy",
            "tld count",
            "png image",
            "jpeg image",
            "rgba",
            "exif standard",
            "tiff image",
            "pattern match",
            "ascii text",
            "united",
            "jfif",
            "sha1",
            "core",
            "general",
            "starfield",
            "hybrid",
            "local",
            "encrypt",
            "click",
            "strings",
            "adobea",
            "daga",
            "as30148 sucuri",
            "td tr",
            "search",
            "span td",
            "as44273 host",
            "creation date",
            "a domains",
            "xtra",
            "meta",
            "back",
            "verdict",
            "domain",
            "aaaa",
            "as15169 google",
            "asnone united",
            "nxdomain",
            "sucuri security",
            "a li",
            "span",
            "class",
            "body",
            "sucuri website",
            "a div",
            "authority",
            "record value",
            "showing",
            "gmt content",
            "x sucuri",
            "high",
            "related pulses",
            "show",
            "guard",
            "entries",
            "win32",
            "west domains",
            "next",
            "ipv4",
            "asnone germany",
            "object",
            "com cnt",
            "dem fin",
            "gov int",
            "nav onl",
            "phy pre",
            "formbook cnc",
            "checkin",
            "found",
            "error",
            "code",
            "create c",
            "read c",
            "delete",
            "write",
            "default",
            "dock",
            "execution",
            "copy",
            "xport",
            "firewall",
            "body doctype",
            "section",
            "dcrat",
            "analyzer paste",
            "iocs",
            "hostnames",
            "url https",
            "blacklist",
            "cl0p ransomware",
            "zbot",
            "malware site",
            "team memscan",
            "cl0p",
            "algorithm",
            "data",
            "v3 serial",
            "number",
            "cus starizona",
            "cngo daddy",
            "g2 validity",
            "subject public",
            "key info",
            "certificate",
            "whois lookup",
            "netrange",
            "nethandle",
            "net192",
            "net1920000",
            "as174",
            "as3257",
            "sucuri",
            "sucur2",
            "verisign",
            "whois database",
            "server",
            "registrar abuse",
            "icann whois",
            "whois status",
            "registrar iana",
            "form",
            "temple",
            "first",
            "android",
            "win32 exe",
            "html",
            "bobby fischer",
            "office open",
            "detections type",
            "name",
            "pdf dealer",
            "price list",
            "pdf my",
            "crime",
            "taiwan unknown",
            "as3462",
            "as131148 bank",
            "as21342",
            "all search",
            "otx scoreblue",
            "pulse pulses",
            "cname",
            "as22612",
            "as43350 nforce",
            "win32upatre jun",
            "expiration date",
            "hostname",
            "lowfi",
            "date hash",
            "avast avg",
            "date checked",
            "url hostname",
            "server response",
            "google safe",
            "results jun",
            "files show",
            "registrar",
            "china unknown",
            "title",
            "network",
            "fakedout threat",
            "urls http",
            "maltiverse safe",
            "malicious url",
            "team",
            "phishtank",
            "services",
            "botnet command",
            "control server",
            "mining",
            "betabot",
            "team malware",
            "engineering",
            "stealer",
            "service",
            "vawtrak",
            "virut",
            "emotet",
            "simda",
            "redline",
            "fri oct",
            "media sharing",
            "known infection source",
            "bot networks",
            "malware",
            "malware repository",
            "spyware"
          ],
          "references": [
            "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
            "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
            "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
            "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
            "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
            "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
            "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
            "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
            "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
            "IP\u2019s Contacted: 192.124.249.187",
            "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
            "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk  antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
            "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
            "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
            "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
            "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Cl0p",
              "display_name": "Cl0p",
              "target": null
            },
            {
              "id": "RedLine",
              "display_name": "RedLine",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "6688e0ffb31d4881f3238713",
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 4130,
            "URL": 11958,
            "hostname": 4644,
            "domain": 4304,
            "FileHash-MD5": 2256,
            "FileHash-SHA1": 1161,
            "CVE": 8,
            "SSLCertFingerprint": 20,
            "email": 8,
            "CIDR": 1,
            "IPv6": 4,
            "IPv4": 6
          },
          "indicator_count": 28500,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "7 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a126fcc3620af2edeb95e57",
          "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
          "description": "",
          "modified": "2026-05-24T03:26:04.439000",
          "created": "2026-05-24T03:26:04.439000",
          "tags": [
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "expired",
            "acceptencoding",
            "html info",
            "title home",
            "tags viewport",
            "trackers google",
            "tag manager",
            "gsddf3d2bzf",
            "historical ssl",
            "referrer",
            "december",
            "formbook",
            "round",
            "apple ios",
            "tsara brashears",
            "unlocker",
            "collection",
            "vt graph",
            "socgholish",
            "blister",
            "hacktool",
            "hiddentear",
            "gootloader",
            "agent tesla",
            "crypto",
            "installer",
            "life",
            "malware",
            "open",
            "korplug",
            "tofsee",
            "date",
            "name servers",
            "status",
            "passive dns",
            "urls",
            "scan endpoints",
            "all scoreblue",
            "pulse submit",
            "url analysis",
            "files",
            "no data",
            "tag count",
            "analyzer threat",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "samples",
            "detection list",
            "heur",
            "cisco umbrella",
            "alexa top",
            "million",
            "site",
            "alexa",
            "maltiverse",
            "xcnfe",
            "safe site",
            "phishing",
            "remcos",
            "malicious",
            "miner",
            "bank",
            "agenttesla",
            "agent",
            "unknown",
            "downloader",
            "unsafe",
            "trojan",
            "detplock",
            "artemis",
            "networm",
            "win64",
            "redline stealer",
            "limerat",
            "venom rat",
            "trojanspy",
            "tld count",
            "png image",
            "jpeg image",
            "rgba",
            "exif standard",
            "tiff image",
            "pattern match",
            "ascii text",
            "united",
            "jfif",
            "sha1",
            "core",
            "general",
            "starfield",
            "hybrid",
            "local",
            "encrypt",
            "click",
            "strings",
            "adobea",
            "daga",
            "as30148 sucuri",
            "td tr",
            "search",
            "span td",
            "as44273 host",
            "creation date",
            "a domains",
            "xtra",
            "meta",
            "back",
            "verdict",
            "domain",
            "aaaa",
            "as15169 google",
            "asnone united",
            "nxdomain",
            "sucuri security",
            "a li",
            "span",
            "class",
            "body",
            "sucuri website",
            "a div",
            "authority",
            "record value",
            "showing",
            "gmt content",
            "x sucuri",
            "high",
            "related pulses",
            "show",
            "guard",
            "entries",
            "win32",
            "west domains",
            "next",
            "ipv4",
            "asnone germany",
            "object",
            "com cnt",
            "dem fin",
            "gov int",
            "nav onl",
            "phy pre",
            "formbook cnc",
            "checkin",
            "found",
            "error",
            "code",
            "create c",
            "read c",
            "delete",
            "write",
            "default",
            "dock",
            "execution",
            "copy",
            "xport",
            "firewall",
            "body doctype",
            "section",
            "dcrat",
            "analyzer paste",
            "iocs",
            "hostnames",
            "url https",
            "blacklist",
            "cl0p ransomware",
            "zbot",
            "malware site",
            "team memscan",
            "cl0p",
            "algorithm",
            "data",
            "v3 serial",
            "number",
            "cus starizona",
            "cngo daddy",
            "g2 validity",
            "subject public",
            "key info",
            "certificate",
            "whois lookup",
            "netrange",
            "nethandle",
            "net192",
            "net1920000",
            "as174",
            "as3257",
            "sucuri",
            "sucur2",
            "verisign",
            "whois database",
            "server",
            "registrar abuse",
            "icann whois",
            "whois status",
            "registrar iana",
            "form",
            "temple",
            "first",
            "android",
            "win32 exe",
            "html",
            "bobby fischer",
            "office open",
            "detections type",
            "name",
            "pdf dealer",
            "price list",
            "pdf my",
            "crime",
            "taiwan unknown",
            "as3462",
            "as131148 bank",
            "as21342",
            "all search",
            "otx scoreblue",
            "pulse pulses",
            "cname",
            "as22612",
            "as43350 nforce",
            "win32upatre jun",
            "expiration date",
            "hostname",
            "lowfi",
            "date hash",
            "avast avg",
            "date checked",
            "url hostname",
            "server response",
            "google safe",
            "results jun",
            "files show",
            "registrar",
            "china unknown",
            "title",
            "network",
            "fakedout threat",
            "urls http",
            "maltiverse safe",
            "malicious url",
            "team",
            "phishtank",
            "services",
            "botnet command",
            "control server",
            "mining",
            "betabot",
            "team malware",
            "engineering",
            "stealer",
            "service",
            "vawtrak",
            "virut",
            "emotet",
            "simda",
            "redline",
            "fri oct",
            "media sharing",
            "known infection source",
            "bot networks",
            "malware",
            "malware repository",
            "spyware"
          ],
          "references": [
            "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
            "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
            "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
            "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
            "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
            "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
            "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
            "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
            "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
            "IP\u2019s Contacted: 192.124.249.187",
            "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
            "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk  antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
            "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
            "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
            "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
            "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Cl0p",
              "display_name": "Cl0p",
              "target": null
            },
            {
              "id": "RedLine",
              "display_name": "RedLine",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "6688e0ffb31d4881f3238713",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 4080,
            "URL": 11952,
            "hostname": 4638,
            "domain": 4301,
            "FileHash-MD5": 2236,
            "FileHash-SHA1": 1140,
            "CVE": 8,
            "SSLCertFingerprint": 20,
            "email": 8,
            "CIDR": 1
          },
          "indicator_count": 28384,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "7 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a0ff878b8d1717e395e0d0a",
          "name": "Research part 4 * CAPE Sandbox",
          "description": "A Cuckoo has been running on a KVM operating system for the next two years. \u00c2\u00a31.5m.. and   \u00e2\u201a\u00ac1m",
          "modified": "2026-05-23T03:58:21.402000",
          "created": "2026-05-22T06:32:24.666000",
          "tags": [
            "default",
            "nothing",
            "file execution",
            "registry keys",
            "inprocserver32",
            "server",
            "parent pid",
            "full path",
            "command line",
            "files c",
            "cname",
            "accept",
            "ip address",
            "cape sandbox",
            "found",
            "center",
            "http",
            "port",
            "shutdown",
            "title",
            "performs dns",
            "mitre attack",
            "network info",
            "processes extra",
            "sigma",
            "t1055 process",
            "overview",
            "overview zenbox",
            "verdict",
            "guest system",
            "defense evasion",
            "next",
            "win1",
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "acrongl integ",
            "adc4240758",
            "angsana new",
            "bootkit",
            "back",
            "p2404",
            "host",
            "cultureneutral",
            "p11750170564",
            "shell folders",
            "systemroot",
            "gmt range",
            "guard",
            "pe file",
            "file type",
            "creates",
            "extra info",
            "sample",
            "contains",
            "aslr",
            "binary",
            "command",
            "malicious"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/91031d16ab93fe5d7f8dc7a55b4bbb8e23742c774ad467f67e2e1681e5439fb9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431033&Signature=tDkjksSltx3F6MPqpr8Xf%2BIAVxBBNNTifbGimbXIX5DCrLCZugVQF%2B7kCV%2BJ3RQ1lKt1eMcfTaQ3FUvgjt7%2F3uEgdHY390sywG9OdYe2HZMJHg%2BYNxsAIe8n7UIa22pLVZNqhDSymVa0VyJAEZb8B2t7gNdGsBLQKQ7GyJ2iYAz4NklXYQPVUZoWObKt0eggHoV3wJUWM%2BQKxWSnPP6HQ8wusnitHIEqxdfckeRTMZR9zlIg31",
            "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431302&Signature=VN0Lo6N8srKzgIyGy%2B2YBOQ%2BngCQJsbj8jycOiDUs3CpGIyP8pZyyC326od%2FfI41dky2kAUXq4L2f1AHLLukNksIcompwOACdBTaq%2B6r%2FyNhhrsOVLiVCA4wkuZX%2Bjz5eRA8KhG7BcGA1Z8ERy3OYr1b5gS4cUton8nwnqvSE7ZH6dFOkbdhFiX%2FwmTQbOzFCCqJWT0%2FJJZQaXyWSitlkG3IN8RyMOUpjxyT9fwh51%2FT",
            "https://vtbehaviour.commondatastorage.googleapis.com/f26944950ccf7fd4422662d575c0b3698670e1b19d76fe386c20058ea4ea991f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431338&Signature=FoZZNyxGwBJKtHZSxcj9EHaeRdEMbmfNE6I04ld5vuYz8v2b9G%2Bwt0JlXl6N1uR2a9k4YqZln0HWuPEsYhjLjy3e465eqqg1UIPsLLqvH%2BmT7ox8n7TU%2B54qFOkQtrqoj3cO%2BSeZXnlXHOzxx9rdozltX%2FZ%2BOw1i5z%2FzvLy%2FlI3NhUcyIPbiD3yhM6DqHS%2Fyt7x5bhd5cz18yhPyQq7CNoW%2Fx%2B5aj4d6lWRgPVoBfaoqi33C",
            "https://vtbehaviour.commondatastorage.googleapis.com/c915c30bfba565e05ccdea80427ffcba415831161e38e81eccbc893e8eb0bf83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431449&Signature=PDRco%2B36G08WhkVripJBX%2FKsew%2Fqdtv%2BE4v4qZ%2BxTtqIWv%2BbUShaZJk4oroxSc0hAtyIuEAY0Fl7s%2FjNS%2FYPoQ1iU9EMWYaxvd0Sl1%2F%2BEc%2Foq9dc3YP5F0muq56mEXdREOlePA54%2BObbmwRbWR4mwAkK%2FuAkYzpAtJKkLJRZ6GQ0sbyCC5VdaAT3OMhtFkTKCtx5Wk2ZTdGZT5ASe3hD4xmg219rX3t5uV8j",
            "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431564&Signature=x%2BpjgWuHJOMK96wkAkxWnO%2BvWXDtko8QpNc0JQs9qrmHA1DtI9OB1F4jxixqRaySdJpP0JpTJK%2BRxE8sVad9wh3wtqgIhtbiihOX2%2FXHa7ukyAZOuMkh8fVLwIUVkxrObXKFDv8CiRAzdRemUPxSH%2FYmbOPY2eYs7UbUQp%2B93VYGCAMTuaztTey%2F1T8DM1tWLfxE5nKn3j7VigVpXMi8228oo%2B7ofaOVz3A%2FZKMZ1gKD",
            "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431586&Signature=mg5jUjSQG5fVQ2idj9wgQGE6D7neQXnBJ4xAD50pgEFgszvmZvrLrvz5RjR00uX4f7Gs2afv8MUs272SCXfylMEo1EhlVujdxecw4%2Ftn9jdYUfSDpqu0quw4dkL1YXviPoAcCJLaKrrvBsQMT468PPk4VwiDZbq2JNrZZwt1qXHmZFe3X5CHabJJE0ORZBwBH0jMYUE%2BWIvGzkZ%2Bul4ufi3xgsgA%2BoN0jUlIddwaoZA4eQeYVlQ388DLeonSjl"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1033",
              "name": "System Owner/User Discovery",
              "display_name": "T1033 - System Owner/User Discovery"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1203",
              "name": "Exploitation for Client Execution",
              "display_name": "T1203 - Exploitation for Client Execution"
            },
            {
              "id": "T1485",
              "name": "Data Destruction",
              "display_name": "T1485 - Data Destruction"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 194,
            "FileHash-SHA1": 212,
            "FileHash-SHA256": 412,
            "IPv4": 297,
            "URL": 840,
            "domain": 343,
            "hostname": 541,
            "CIDR": 6,
            "email": 23,
            "IPv6": 176,
            "CVE": 4
          },
          "indicator_count": 3048,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "8 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a101c7ae1db7f51d289dda5",
          "name": "Credit: scoreblue [RVA Entry | Apple remote unlocking| Emotet | Redline] clone",
          "description": "",
          "modified": "2026-05-22T09:06:02.865000",
          "created": "2026-05-22T09:06:02.865000",
          "tags": [
            "ssl certificate",
            "whois record",
            "historical ssl",
            "resolutions",
            "referrer",
            "communicating",
            "siblings",
            "file",
            "hell",
            "lenovo tablet",
            "name servers",
            "as714 apple",
            "united",
            "creation date",
            "search",
            "servers",
            "date",
            "moved",
            "certificate",
            "passive dns",
            "body",
            "historical",
            "collections",
            "contacted",
            "strange",
            "no data",
            "tag count",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "samples",
            "detection list",
            "blacklist",
            "blacklist http",
            "cisco umbrella",
            "site",
            "safe site",
            "alexa top",
            "malicious site",
            "malware site",
            "phishing site",
            "million",
            "malware",
            "http attacker",
            "ip address",
            "algorithm",
            "v3 serial",
            "number",
            "ist ca",
            "g1 validity",
            "public key",
            "info",
            "key algorithm",
            "ec oid",
            "key identifier",
            "first",
            "team alexa",
            "downloader",
            "wed apr",
            "alexa",
            "pony",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "relayrouter",
            "exit",
            "node traffic",
            "misc attack",
            "script",
            "beginstring",
            "mitre att",
            "null",
            "unknown",
            "span",
            "error",
            "class",
            "generator",
            "critical",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "refresh",
            "tools",
            "malicious url",
            "hostname",
            "hostnames",
            "phishing",
            "union",
            "team",
            "bank",
            "unsafe",
            "spammer",
            "node tcp",
            "traffic",
            "attacker",
            "tor known",
            "tor relayrouter",
            "jul jan",
            "mon sep",
            "heur",
            "artemis",
            "iframe",
            "conduit",
            "crack",
            "riskware",
            "opencandy",
            "cleaner",
            "exploit",
            "downldr",
            "presenoker",
            "wacatac",
            "agent",
            "fusioncore",
            "applicunwnt",
            "acint",
            "nircmd",
            "swrort",
            "systweak",
            "behav",
            "tiggre",
            "genkryptik",
            "filetour",
            "generic",
            "patcher",
            "driverpack",
            "xtrat",
            "softcnapp",
            "cyber threat",
            "dns server",
            "http spammer",
            "host",
            "download",
            "asyncrat",
            "cobalt strike",
            "apple",
            "urls http",
            "368600",
            "320700",
            "dc1542721039132",
            "subdomains",
            "noname057",
            "tld count",
            "urls",
            "blacklist https",
            "engineering",
            "singapore",
            "phishtank",
            "suppobox",
            "bambernek",
            "facebook",
            "zbot",
            "malicious",
            "zeus",
            "emotet",
            "ransomware",
            "nymaim",
            "redline stealer",
            "service",
            "virut",
            "kraken",
            "keybase",
            "stealer",
            "hawkeye",
            "tinba",
            "mirai",
            "nanocore",
            "bradesco",
            "cve201711882",
            "ip detections",
            "country",
            "83500",
            "1602192580242",
            "1602192586217",
            "blog",
            "1602192588844",
            "1602192624796",
            "303300",
            "vhash",
            "authentihash",
            "ssdeep",
            "file type",
            "win32 exe",
            "magic pe32",
            "ms windows",
            "intel",
            "trid windows",
            "control panel",
            "file version",
            "copyright",
            "product",
            "description",
            "original name",
            "internal name",
            "rticon neutral",
            "chi2",
            "contained",
            "details module",
            "version id",
            "typelib id",
            "header target",
            "machine intel",
            "utc entry",
            "point",
            "count blacklist",
            "tag tag",
            "dot net",
            "assembly common",
            "clr version",
            "assembly name",
            "address",
            "assembly",
            "rva entry",
            "streams size",
            "entropy chi2",
            "guid",
            "applenoc",
            "showing",
            "record value",
            "scan endpoints",
            "all search",
            "as20940",
            "as16625 akamai",
            "status",
            "cname",
            "china",
            "as136907 huawei",
            "nanjing",
            "as2914 ntt",
            "america",
            "as7843 charter",
            "as6461 zayo",
            "domain",
            "p155-fmfmobile.icloud.com",
            "t-mobile",
            "metro t-mobile",
            "metro",
            "metroby",
            "social engineering",
            "happywifehappylife",
            "bot",
            "darknet service",
            "tsara brashears",
            "jeffrey reimer",
            "pixelrz",
            "yandex",
            "cp",
            "cyber",
            "red team",
            "framing",
            "qwest",
            "cybercrime",
            "cyber threat",
            "sha256",
            "runtime process",
            "sha1",
            "size",
            "windows nt",
            "indicator",
            "svg scalable",
            "accept",
            "unis",
            "buttons",
            "overwrite",
            "format",
            "spyware",
            "heodo",
            "fri nov",
            "installcore",
            "installpack",
            "win64",
            "fakealert",
            "dropper",
            "fakeinstaller",
            "spyrixkeylogger",
            "bitminer",
            "loadmoney",
            "dapato",
            "networm",
            "mediaget",
            "softonic",
            "trojan",
            "encpk",
            "qbot",
            "predator",
            "kraddare",
            "iobit",
            "dllinject",
            "psexec",
            "occamy",
            "brontok",
            "zpevdo",
            "startpage",
            "keygen",
            "fareit",
            "secrisk",
            "unruy",
            "floxif",
            "adload",
            "et cins",
            "active threat",
            "reputation ip",
            "threats et",
            "cins active",
            "poor reputation",
            "ip tcp",
            "privacy admin",
            "privacy tech",
            "com laude",
            "redacted for",
            "server",
            "priority",
            "email",
            "organization",
            "city",
            "cnapple public",
            "server rsa",
            "stcalifornia",
            "cnapple ist",
            "identity search",
            "group",
            "issuer criteria",
            "type",
            "ilike search",
            "id logged",
            "valid",
            "no no",
            "no na",
            "ip security",
            "apple",
            "limited",
            "ca id",
            "lsalford",
            "ocomodo ca",
            "code signing",
            "mozilla",
            "android",
            "memory checks",
            "dotnet_encrypted",
            "multi family rat detection",
            "malware_win_zgrat"
          ],
          "references": [
            "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
            "p155-fmfmobile.icloud.com",
            "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com'  monitoring targeted apple device\u2193",
            "developer.huawei.com",
            "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
            "http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
            "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
            "fmfmobile.fe.apple-dns.net",
            "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
            "http://notredamewormhoutnet.appleid.com/",
            "news-publisher.pictures",
            "applestore.net",
            "airinthemorning.net",
            "http://certs.apple.com/appleistca2g1_bc.cer",
            "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
            "https://dc-mx.d3525d602ca2.pixelrz.com",
            "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
            "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
            "http://pixelrz.com/lists/keywords/tsara-brashears-dead    (unconfirmed death)",
            "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/    (unconfirmed crime)",
            "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/   (confirmed transactional agreement)",
            "http://pixelrz.com/lists/suggestions/rs485-arduino/",
            "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/  ( badgering. libel)",
            "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer  (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
            "http://hidden-camera-public-nudity.tubesporno.com  (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
            "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
            "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
            "Resource: https://crt.sh/?q=privaterelay.appleid.com",
            "\u2193Command and Control \u2193",
            "CNC IPv4:  107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
            "CNC Hostname:  urlspirit.spiritsoft.cn",
            "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022  52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
            "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
            "Resource: https://urlscan.io/domain/privaterelay.appleid.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "Systweak",
              "display_name": "Systweak",
              "target": null
            },
            {
              "id": "Swrort",
              "display_name": "Swrort",
              "target": null
            },
            {
              "id": "Tinba",
              "display_name": "Tinba",
              "target": null
            },
            {
              "id": "XRat",
              "display_name": "XRat",
              "target": null
            },
            {
              "id": "Zbot",
              "display_name": "Zbot",
              "target": null
            },
            {
              "id": "Zeus",
              "display_name": "Zeus",
              "target": null
            },
            {
              "id": "Tiggre",
              "display_name": "Tiggre",
              "target": null
            },
            {
              "id": "FusionCore",
              "display_name": "FusionCore",
              "target": null
            },
            {
              "id": "Redline",
              "display_name": "Redline",
              "target": null
            },
            {
              "id": "Virus:DOS/Nanjing",
              "display_name": "Virus:DOS/Nanjing",
              "target": "/malware/Virus:DOS/Nanjing"
            },
            {
              "id": "nircmd",
              "display_name": "nircmd",
              "target": null
            },
            {
              "id": "noname057",
              "display_name": "noname057",
              "target": null
            },
            {
              "id": "BlackNET",
              "display_name": "BlackNET",
              "target": null
            },
            {
              "id": "SuppoBox",
              "display_name": "SuppoBox",
              "target": null
            },
            {
              "id": "Softcnapp",
              "display_name": "Softcnapp",
              "target": null
            },
            {
              "id": "Union",
              "display_name": "Union",
              "target": null
            },
            {
              "id": "Bambernek",
              "display_name": "Bambernek",
              "target": null
            },
            {
              "id": "Kraddare",
              "display_name": "Kraddare",
              "target": null
            },
            {
              "id": "Networm",
              "display_name": "Networm",
              "target": null
            },
            {
              "id": "trojan.agensla/msil",
              "display_name": "trojan.agensla/msil",
              "target": null
            },
            {
              "id": "Win:ZGRAT",
              "display_name": "Win:ZGRAT",
              "target": null
            },
            {
              "id": "Wacatac.",
              "display_name": "Wacatac.",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1016",
              "name": "System Network Configuration Discovery",
              "display_name": "T1016 - System Network Configuration Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "656a9718ac97804d782cc16b",
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1220,
            "FileHash-SHA1": 613,
            "FileHash-SHA256": 5010,
            "URL": 13617,
            "hostname": 3699,
            "domain": 2783,
            "email": 11,
            "CVE": 23,
            "CIDR": 2
          },
          "indicator_count": 26978,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "9 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a101c79879732a433f4bd41",
          "name": "Credit: scoreblue [RVA Entry | Apple remote unlocking| Emotet | Redline] clone",
          "description": "",
          "modified": "2026-05-22T09:06:01.013000",
          "created": "2026-05-22T09:06:01.013000",
          "tags": [
            "ssl certificate",
            "whois record",
            "historical ssl",
            "resolutions",
            "referrer",
            "communicating",
            "siblings",
            "file",
            "hell",
            "lenovo tablet",
            "name servers",
            "as714 apple",
            "united",
            "creation date",
            "search",
            "servers",
            "date",
            "moved",
            "certificate",
            "passive dns",
            "body",
            "historical",
            "collections",
            "contacted",
            "strange",
            "no data",
            "tag count",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "samples",
            "detection list",
            "blacklist",
            "blacklist http",
            "cisco umbrella",
            "site",
            "safe site",
            "alexa top",
            "malicious site",
            "malware site",
            "phishing site",
            "million",
            "malware",
            "http attacker",
            "ip address",
            "algorithm",
            "v3 serial",
            "number",
            "ist ca",
            "g1 validity",
            "public key",
            "info",
            "key algorithm",
            "ec oid",
            "key identifier",
            "first",
            "team alexa",
            "downloader",
            "wed apr",
            "alexa",
            "pony",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "relayrouter",
            "exit",
            "node traffic",
            "misc attack",
            "script",
            "beginstring",
            "mitre att",
            "null",
            "unknown",
            "span",
            "error",
            "class",
            "generator",
            "critical",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "refresh",
            "tools",
            "malicious url",
            "hostname",
            "hostnames",
            "phishing",
            "union",
            "team",
            "bank",
            "unsafe",
            "spammer",
            "node tcp",
            "traffic",
            "attacker",
            "tor known",
            "tor relayrouter",
            "jul jan",
            "mon sep",
            "heur",
            "artemis",
            "iframe",
            "conduit",
            "crack",
            "riskware",
            "opencandy",
            "cleaner",
            "exploit",
            "downldr",
            "presenoker",
            "wacatac",
            "agent",
            "fusioncore",
            "applicunwnt",
            "acint",
            "nircmd",
            "swrort",
            "systweak",
            "behav",
            "tiggre",
            "genkryptik",
            "filetour",
            "generic",
            "patcher",
            "driverpack",
            "xtrat",
            "softcnapp",
            "cyber threat",
            "dns server",
            "http spammer",
            "host",
            "download",
            "asyncrat",
            "cobalt strike",
            "apple",
            "urls http",
            "368600",
            "320700",
            "dc1542721039132",
            "subdomains",
            "noname057",
            "tld count",
            "urls",
            "blacklist https",
            "engineering",
            "singapore",
            "phishtank",
            "suppobox",
            "bambernek",
            "facebook",
            "zbot",
            "malicious",
            "zeus",
            "emotet",
            "ransomware",
            "nymaim",
            "redline stealer",
            "service",
            "virut",
            "kraken",
            "keybase",
            "stealer",
            "hawkeye",
            "tinba",
            "mirai",
            "nanocore",
            "bradesco",
            "cve201711882",
            "ip detections",
            "country",
            "83500",
            "1602192580242",
            "1602192586217",
            "blog",
            "1602192588844",
            "1602192624796",
            "303300",
            "vhash",
            "authentihash",
            "ssdeep",
            "file type",
            "win32 exe",
            "magic pe32",
            "ms windows",
            "intel",
            "trid windows",
            "control panel",
            "file version",
            "copyright",
            "product",
            "description",
            "original name",
            "internal name",
            "rticon neutral",
            "chi2",
            "contained",
            "details module",
            "version id",
            "typelib id",
            "header target",
            "machine intel",
            "utc entry",
            "point",
            "count blacklist",
            "tag tag",
            "dot net",
            "assembly common",
            "clr version",
            "assembly name",
            "address",
            "assembly",
            "rva entry",
            "streams size",
            "entropy chi2",
            "guid",
            "applenoc",
            "showing",
            "record value",
            "scan endpoints",
            "all search",
            "as20940",
            "as16625 akamai",
            "status",
            "cname",
            "china",
            "as136907 huawei",
            "nanjing",
            "as2914 ntt",
            "america",
            "as7843 charter",
            "as6461 zayo",
            "domain",
            "p155-fmfmobile.icloud.com",
            "t-mobile",
            "metro t-mobile",
            "metro",
            "metroby",
            "social engineering",
            "happywifehappylife",
            "bot",
            "darknet service",
            "tsara brashears",
            "jeffrey reimer",
            "pixelrz",
            "yandex",
            "cp",
            "cyber",
            "red team",
            "framing",
            "qwest",
            "cybercrime",
            "cyber threat",
            "sha256",
            "runtime process",
            "sha1",
            "size",
            "windows nt",
            "indicator",
            "svg scalable",
            "accept",
            "unis",
            "buttons",
            "overwrite",
            "format",
            "spyware",
            "heodo",
            "fri nov",
            "installcore",
            "installpack",
            "win64",
            "fakealert",
            "dropper",
            "fakeinstaller",
            "spyrixkeylogger",
            "bitminer",
            "loadmoney",
            "dapato",
            "networm",
            "mediaget",
            "softonic",
            "trojan",
            "encpk",
            "qbot",
            "predator",
            "kraddare",
            "iobit",
            "dllinject",
            "psexec",
            "occamy",
            "brontok",
            "zpevdo",
            "startpage",
            "keygen",
            "fareit",
            "secrisk",
            "unruy",
            "floxif",
            "adload",
            "et cins",
            "active threat",
            "reputation ip",
            "threats et",
            "cins active",
            "poor reputation",
            "ip tcp",
            "privacy admin",
            "privacy tech",
            "com laude",
            "redacted for",
            "server",
            "priority",
            "email",
            "organization",
            "city",
            "cnapple public",
            "server rsa",
            "stcalifornia",
            "cnapple ist",
            "identity search",
            "group",
            "issuer criteria",
            "type",
            "ilike search",
            "id logged",
            "valid",
            "no no",
            "no na",
            "ip security",
            "apple",
            "limited",
            "ca id",
            "lsalford",
            "ocomodo ca",
            "code signing",
            "mozilla",
            "android",
            "memory checks",
            "dotnet_encrypted",
            "multi family rat detection",
            "malware_win_zgrat"
          ],
          "references": [
            "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
            "p155-fmfmobile.icloud.com",
            "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com'  monitoring targeted apple device\u2193",
            "developer.huawei.com",
            "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
            "http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
            "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
            "fmfmobile.fe.apple-dns.net",
            "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
            "http://notredamewormhoutnet.appleid.com/",
            "news-publisher.pictures",
            "applestore.net",
            "airinthemorning.net",
            "http://certs.apple.com/appleistca2g1_bc.cer",
            "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
            "https://dc-mx.d3525d602ca2.pixelrz.com",
            "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
            "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
            "http://pixelrz.com/lists/keywords/tsara-brashears-dead    (unconfirmed death)",
            "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/    (unconfirmed crime)",
            "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/   (confirmed transactional agreement)",
            "http://pixelrz.com/lists/suggestions/rs485-arduino/",
            "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/  ( badgering. libel)",
            "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer  (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
            "http://hidden-camera-public-nudity.tubesporno.com  (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
            "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
            "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
            "Resource: https://crt.sh/?q=privaterelay.appleid.com",
            "\u2193Command and Control \u2193",
            "CNC IPv4:  107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
            "CNC Hostname:  urlspirit.spiritsoft.cn",
            "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022  52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
            "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
            "Resource: https://urlscan.io/domain/privaterelay.appleid.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "Systweak",
              "display_name": "Systweak",
              "target": null
            },
            {
              "id": "Swrort",
              "display_name": "Swrort",
              "target": null
            },
            {
              "id": "Tinba",
              "display_name": "Tinba",
              "target": null
            },
            {
              "id": "XRat",
              "display_name": "XRat",
              "target": null
            },
            {
              "id": "Zbot",
              "display_name": "Zbot",
              "target": null
            },
            {
              "id": "Zeus",
              "display_name": "Zeus",
              "target": null
            },
            {
              "id": "Tiggre",
              "display_name": "Tiggre",
              "target": null
            },
            {
              "id": "FusionCore",
              "display_name": "FusionCore",
              "target": null
            },
            {
              "id": "Redline",
              "display_name": "Redline",
              "target": null
            },
            {
              "id": "Virus:DOS/Nanjing",
              "display_name": "Virus:DOS/Nanjing",
              "target": "/malware/Virus:DOS/Nanjing"
            },
            {
              "id": "nircmd",
              "display_name": "nircmd",
              "target": null
            },
            {
              "id": "noname057",
              "display_name": "noname057",
              "target": null
            },
            {
              "id": "BlackNET",
              "display_name": "BlackNET",
              "target": null
            },
            {
              "id": "SuppoBox",
              "display_name": "SuppoBox",
              "target": null
            },
            {
              "id": "Softcnapp",
              "display_name": "Softcnapp",
              "target": null
            },
            {
              "id": "Union",
              "display_name": "Union",
              "target": null
            },
            {
              "id": "Bambernek",
              "display_name": "Bambernek",
              "target": null
            },
            {
              "id": "Kraddare",
              "display_name": "Kraddare",
              "target": null
            },
            {
              "id": "Networm",
              "display_name": "Networm",
              "target": null
            },
            {
              "id": "trojan.agensla/msil",
              "display_name": "trojan.agensla/msil",
              "target": null
            },
            {
              "id": "Win:ZGRAT",
              "display_name": "Win:ZGRAT",
              "target": null
            },
            {
              "id": "Wacatac.",
              "display_name": "Wacatac.",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1016",
              "name": "System Network Configuration Discovery",
              "display_name": "T1016 - System Network Configuration Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "656a9718ac97804d782cc16b",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1220,
            "FileHash-SHA1": 613,
            "FileHash-SHA256": 5010,
            "URL": 13617,
            "hostname": 3699,
            "domain": 2783,
            "email": 11,
            "CVE": 23,
            "CIDR": 2
          },
          "indicator_count": 26978,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "9 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a0fed56841e1b009c303267",
          "name": "Credit: scoreblue [Brian Sabey Orbiting Tsara Brashears and associates] clone",
          "description": "",
          "modified": "2026-05-22T05:44:54.655000",
          "created": "2026-05-22T05:44:54.655000",
          "tags": [
            "unknown",
            "united",
            "virgin islands",
            "as51852",
            "as33387",
            "as19905",
            "as44273 host",
            "cname",
            "nxdomain",
            "passive dns",
            "url http",
            "search",
            "type indicator",
            "role title",
            "added active",
            "related pulses",
            "entries",
            "urls",
            "files ip",
            "address domain",
            "ip related",
            "pulses otx",
            "pulses",
            "related tags",
            "indicator facts",
            "dga domain",
            "http",
            "unique",
            "scan endpoints",
            "all scoreblue",
            "pulse pulses",
            "ip address",
            "related nids",
            "log id",
            "gmtn",
            "go daddy",
            "authority",
            "tls web",
            "arizona",
            "scottsdale",
            "ca issuers",
            "b59bn timestamp",
            "ff2c217402202b",
            "code",
            "false",
            "url https",
            "domain",
            "trojan",
            "hostname",
            "files",
            "body",
            "date",
            "path max",
            "age86400 set",
            "cookie",
            "script urls",
            "type",
            "mtb may",
            "script script",
            "trojanspy",
            "striven",
            "miles2",
            "rexxfield",
            "http response",
            "final url",
            "serving ip",
            "address",
            "status code",
            "body length",
            "b body",
            "sha256",
            "date sat",
            "gmt server",
            "sakula malware",
            "historical ssl",
            "realteck audio",
            "lemon duck",
            "iocs",
            "tsara brashears",
            "loki password",
            "stealer",
            "windows",
            "auction",
            "metro",
            "core",
            "colibri loader",
            "hacktool",
            "status",
            "for privacy",
            "creation date",
            "record value",
            "name servers",
            "showing",
            "next",
            "mtb mar",
            "ipv4",
            "ransom",
            "west domains",
            "redacted for",
            "gmt location",
            "gmt max",
            "cowboy",
            "encrypt",
            "as60558 phoenix",
            "susp",
            "win32",
            "methodpost",
            "canada unknown",
            "as43350 nforce",
            "united kingdom",
            "as47846",
            "germany unknown",
            "briansabey",
            "body doubles",
            "orbiters",
            "malvertising",
            "cane",
            "get na",
            "show",
            "as16509",
            "delete c",
            "sinkhole cookie",
            "value snkz",
            "cape",
            "possible",
            "copy",
            "nivdort",
            "write",
            "bayrob",
            "malware",
            "exploit",
            "confirm https",
            "impact",
            "misc http",
            "cvss v2",
            "authentication",
            "n cvss",
            "v3 severity",
            "high attack",
            "emails",
            "cnc",
            "alphacrypt cnc",
            "beacon",
            "as15169 google",
            "limited",
            "as8560",
            "elite",
            "AS33387 nocix llc",
            "pegasus",
            "mercenary",
            "cellerebrand",
            "cellebrite",
            "apple",
            "dark",
            "apple ios",
            "ios",
            "apple iphone",
            "apple itunes",
            "itunes",
            "pegasystem",
            "data brokers",
            "hackers",
            "javascript",
            "please",
            "intel",
            "filehash",
            "av detections",
            "xorddos"
          ],
          "references": [
            "http://www.northpoleroute.com/78985064&type=0&resid=5312625",
            "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net",
            "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
            "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0",
            "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc",
            "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f",
            "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1",
            "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin",
            "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
            "Alerts: cape_detected_threat cape_extracted_content",
            "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
            "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
            "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
            "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49",
            "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee",
            "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845",
            "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02",
            "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534",
            "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6",
            "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251",
            "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a",
            "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4",
            "https://otx.alienvault.com/indicator/ip/162.222.213.199",
            "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad",
            "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437",
            "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec",
            "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb",
            "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7",
            "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943",
            "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f",
            "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893",
            "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e",
            "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx",
            "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin",
            "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
            "https://otx.alienvault.com/indicator/ip/185.230.63.186",
            "CnC IP's: 192.187.111.221  63.141.242.43  63.141.242.44  63.141.242.46 81.17.18.195  81.17.18.197 81.17.29.146  81.17.29.148",
            "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz",
            "smartphonesonline.co.uk  https://smartphonesonline.co.uk/  https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]",
            "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO",
            "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
            "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
            "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
            "https://otx.alienvault.com/indicator/ip/63.141.242.45",
            "Yara Detections: is__elf ,  xorddos ,  LinuxXorDDoS_VariantTwo",
            "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] ,  Unix.Trojan.Xorddos-1 ,",
            "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9",
            "Trojan:Linux/Xorddos:  FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559",
            "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
            "https://hallrender.com/attorney/brian-sabey"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "United Kingdom of Great Britain and Northern Ireland"
          ],
          "malware_families": [
            {
              "id": "TrojanSpy:Win32/Nivdort.CW",
              "display_name": "TrojanSpy:Win32/Nivdort.CW",
              "target": "/malware/TrojanSpy:Win32/Nivdort.CW"
            },
            {
              "id": "Ransom:Win32/Haperlock.A",
              "display_name": "Ransom:Win32/Haperlock.A",
              "target": "/malware/Ransom:Win32/Haperlock.A"
            },
            {
              "id": "Backdoor:Win32/Fynloski.A",
              "display_name": "Backdoor:Win32/Fynloski.A",
              "target": "/malware/Backdoor:Win32/Fynloski.A"
            },
            {
              "id": "TrojanClicker:Win32/Ellell.A",
              "display_name": "TrojanClicker:Win32/Ellell.A",
              "target": "/malware/TrojanClicker:Win32/Ellell.A"
            },
            {
              "id": "Bayrob",
              "display_name": "Bayrob",
              "target": null
            },
            {
              "id": "Win.Virus.TeslaCrypt3-2/Custom",
              "display_name": "Win.Virus.TeslaCrypt3-2/Custom",
              "target": null
            },
            {
              "id": "PWS:Win32/Ymacco.AA50",
              "display_name": "PWS:Win32/Ymacco.AA50",
              "target": "/malware/PWS:Win32/Ymacco.AA50"
            },
            {
              "id": "Ransom:Win32/Tescrypt",
              "display_name": "Ransom:Win32/Tescrypt",
              "target": "/malware/Ransom:Win32/Tescrypt"
            },
            {
              "id": "PWS:Win32/QQpass.B!MTB",
              "display_name": "PWS:Win32/QQpass.B!MTB",
              "target": "/malware/PWS:Win32/QQpass.B!MTB"
            },
            {
              "id": "Trojan:Win32/Zombie.A",
              "display_name": "Trojan:Win32/Zombie.A",
              "target": "/malware/Trojan:Win32/Zombie.A"
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "Trojan:Linux/Xorddos",
              "display_name": "Trojan:Linux/Xorddos",
              "target": "/malware/Trojan:Linux/Xorddos"
            },
            {
              "id": "Sakula RAT",
              "display_name": "Sakula RAT",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1512",
              "name": "Capture Camera",
              "display_name": "T1512 - Capture Camera"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "TA0001",
              "name": "Initial Access",
              "display_name": "TA0001 - Initial Access"
            },
            {
              "id": "TA0002",
              "name": "Execution",
              "display_name": "TA0002 - Execution"
            },
            {
              "id": "TA0003",
              "name": "Persistence",
              "display_name": "TA0003 - Persistence"
            },
            {
              "id": "TA0004",
              "name": "Privilege Escalation",
              "display_name": "TA0004 - Privilege Escalation"
            },
            {
              "id": "TA0005",
              "name": "Defense Evasion",
              "display_name": "TA0005 - Defense Evasion"
            },
            {
              "id": "TA0007",
              "name": "Discovery",
              "display_name": "TA0007 - Discovery"
            },
            {
              "id": "TA0008",
              "name": "Lateral Movement",
              "display_name": "TA0008 - Lateral Movement"
            },
            {
              "id": "TA0009",
              "name": "Collection",
              "display_name": "TA0009 - Collection"
            },
            {
              "id": "TA0010",
              "name": "Exfiltration",
              "display_name": "TA0010 - Exfiltration"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1598",
              "name": "Phishing for Information",
              "display_name": "T1598 - Phishing for Information"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1506",
              "name": "Web Session Cookie",
              "display_name": "T1506 - Web Session Cookie"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1051",
              "name": "Shared Webroot",
              "display_name": "T1051 - Shared Webroot"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1123",
              "name": "Audio Capture",
              "display_name": "T1123 - Audio Capture"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            },
            {
              "id": "T1155",
              "name": "AppleScript",
              "display_name": "T1155 - AppleScript"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66804428b487338dc16f70a7",
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 3885,
            "hostname": 1651,
            "URL": 5981,
            "FileHash-MD5": 486,
            "FileHash-SHA256": 3859,
            "SSLCertFingerprint": 2,
            "FileHash-SHA1": 487,
            "CVE": 7,
            "email": 8
          },
          "indicator_count": 16366,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "9 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf4cc74c3d8f391a1a927c",
          "name": "9e42ac52bda44d5cadcabffd1d5e78a06598c8b5",
          "description": "",
          "modified": "2026-05-17T15:53:27.707000",
          "created": "2026-03-22T01:58:31.611000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 308,
            "FileHash-SHA1": 305,
            "FileHash-SHA256": 362,
            "URL": 369,
            "hostname": 376,
            "domain": 193,
            "email": 13
          },
          "indicator_count": 1926,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "13 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "698e93e1ab02db8c49e8c3ed",
          "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
          "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
          "modified": "2026-05-17T15:52:35.396000",
          "created": "2026-02-13T03:00:49.872000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
            "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 28000,
            "FileHash-SHA256": 48374,
            "FileHash-MD5": 42596,
            "FileHash-SHA1": 23243,
            "hostname": 35654,
            "URL": 75758,
            "SSLCertFingerprint": 30,
            "CVE": 7585,
            "email": 316,
            "FileHash-IMPHASH": 8,
            "CIDR": 26205,
            "JA3": 1,
            "URI": 5,
            "IPv4": 574,
            "Mutex": 1
          },
          "indicator_count": 288350,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 92,
          "modified_text": "13 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a056cacb981e6f3b2dd4647",
          "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue",
          "description": "",
          "modified": "2026-05-14T07:28:01.780000",
          "created": "2026-05-14T06:33:16.946000",
          "tags": [
            "as8075",
            "united",
            "pid425870621",
            "tid700443057",
            "tpid425870621",
            "slot1",
            "mascore2",
            "bcnt1",
            "unid88000705",
            "nct1",
            "date",
            "china",
            "china unknown",
            "passive dns",
            "body xml",
            "error code",
            "requestid",
            "hostid ec",
            "server",
            "gmt content",
            "type",
            "registry",
            "intel",
            "ms windows",
            "show",
            "entries",
            "search",
            "high",
            "pe32",
            "high process",
            "injection t1055",
            "salicode",
            "worm",
            "copy",
            "tools",
            "service",
            "write",
            "win32",
            "persistence",
            "execution",
            "april",
            "urls",
            "http",
            "unique",
            "scan endpoints",
            "all scoreblue",
            "url http",
            "pulse pulses",
            "ip address",
            "related nids",
            "code",
            "as54113",
            "unknown",
            "body",
            "fastly error",
            "please",
            "sea p",
            "msil",
            "accept",
            "aaaa",
            "nxdomain",
            "whitelisted",
            "as15169 google",
            "status",
            "as44273 host",
            "as46691",
            "domain",
            "url https",
            "files location",
            "info",
            "script urls",
            "path max",
            "age86400 set",
            "cookie",
            "script domains",
            "javascript",
            "script script",
            "trojanspy",
            "cname",
            "emails",
            "servers",
            "all search",
            "related pulses",
            "file samples",
            "files matching",
            "creation date",
            "germany unknown",
            "yara detections",
            "filehash",
            "av detections",
            "ids detections",
            "alerts",
            "analysis date",
            "file score",
            "meta",
            "home welcome",
            "write c",
            "delete c",
            "query",
            "local",
            "hostname",
            "a domains",
            "lowfi",
            "content type",
            "record value",
            "suite",
            "showing",
            "asnone united",
            "as29873",
            "ipv4",
            "pulse submit",
            "url analysis",
            "files",
            "pe32 executable",
            "potential scan",
            "0pgtwhu",
            "t1045",
            "port",
            "infection",
            "recon",
            "malware",
            "june",
            "delphi",
            "taobao network",
            "as45102 alibaba",
            "as4812 china",
            "next",
            "expiration date",
            "name servers",
            "dynamicloader",
            "dynamic",
            "sha256",
            "dynamic link",
            "library exe",
            "adobe",
            "incorporated",
            "read",
            "yara rule",
            "delete",
            "binary file",
            "push",
            "malicious",
            "july",
            "iocs",
            "levelbluelabs",
            "jeff4son",
            "adversaries",
            "registry run",
            "flow t1574",
            "dll sideloading",
            "boot",
            "logon autostart",
            "execution t1547",
            "keys",
            "startup folder",
            "t1497 may",
            "encryption",
            "catalog tree",
            "analysis ob0001",
            "virtual machine",
            "detection b0009",
            "check registry",
            "analysis ob0002",
            "executable code",
            "stack strings",
            "control ob0004",
            "get http",
            "http requests",
            "dns resolutions",
            "ip traffic",
            "pattern domains",
            "memory pattern",
            "urls http",
            "request",
            "response",
            "connection",
            "trojan",
            "otx scoreblue",
            "windows",
            "embeddedwb",
            "medium",
            "shellexecuteexw",
            "msie",
            "windows nt",
            "displayname",
            "tofsee",
            "hashes",
            "vhash",
            "authentihash",
            "ssdeep",
            "win32 exe",
            "magic pe32",
            "trid win32",
            "library",
            "read c",
            "file guard",
            "rtversion",
            "langchinese",
            "legalcopyright",
            "reserved",
            "ransom",
            "moved",
            "media",
            "ascii text",
            "default",
            "upack",
            "mike",
            "contacted",
            "x87xe1x1d",
            "regsetvalueexa",
            "x95xd3xa4",
            "regbinary",
            "x84xa8xe8i",
            "x8dxb7xb7",
            "hx88x9ax1e",
            "mx81xd1r",
            "x92xac",
            "xc2x84",
            "stream",
            "swipper",
            "pdfcreator.sf.net",
            "botnet",
            "black mercedes",
            "please forgive me",
            "therahand thouroughhand"
          ],
          "references": [
            "Project Endgame - pegausintel.com -Unsjre if related to NSO Group",
            "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean",
            "Yara Detections: compromised_site_redirector_fromcharcode ,  Cabinet_Archive ,  SFX_CAB",
            "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile",
            "P\u2019s Contacted:  93.184.221.240  3.33.130.190 |  Domains Contacted: counterslocal.com",
            "compromised_site_redirector_fromcharcode fromCharCode",
            "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527",
            "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/",
            "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf",
            "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/",
            "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166",
            "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539",
            "Antivirus Detections Cryp_Xed-12 ,  Mal/Generic-S ,  Packed/Upack Yara Detections Upackv039finalDwing ,  UpackV037Dwing",
            "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Worm:Win32/Macoute.A",
              "display_name": "Worm:Win32/Macoute.A",
              "target": "/malware/Worm:Win32/Macoute.A"
            },
            {
              "id": "TrojanDownloader:Win32/Nemucod",
              "display_name": "TrojanDownloader:Win32/Nemucod",
              "target": "/malware/TrojanDownloader:Win32/Nemucod"
            },
            {
              "id": "TrojanSpy:Win32/Nivdort",
              "display_name": "TrojanSpy:Win32/Nivdort",
              "target": "/malware/TrojanSpy:Win32/Nivdort"
            },
            {
              "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean",
              "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean",
              "target": null
            },
            {
              "id": "Worm:Win32/Fesber.A",
              "display_name": "Worm:Win32/Fesber.A",
              "target": "/malware/Worm:Win32/Fesber.A"
            },
            {
              "id": "Ransom:Win32/Eniqma.A",
              "display_name": "Ransom:Win32/Eniqma.A",
              "target": "/malware/Ransom:Win32/Eniqma.A"
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "UpackV037Dwing",
              "display_name": "UpackV037Dwing",
              "target": null
            },
            {
              "id": "Cryp_Xed-12",
              "display_name": "Cryp_Xed-12",
              "target": null
            },
            {
              "id": "Mal/Generic-S",
              "display_name": "Mal/Generic-S",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1089",
              "name": "Disabling Security Tools",
              "display_name": "T1089 - Disabling Security Tools"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66eb3ef6d765187a437767e4",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1521,
            "FileHash-SHA1": 1395,
            "FileHash-SHA256": 6084,
            "URL": 1499,
            "domain": 1947,
            "hostname": 1361,
            "email": 18,
            "CVE": 1
          },
          "indicator_count": 13826,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "17 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a056cac80d9b80eb1a97e29",
          "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue",
          "description": "",
          "modified": "2026-05-14T07:14:09.098000",
          "created": "2026-05-14T06:33:16.505000",
          "tags": [
            "as8075",
            "united",
            "pid425870621",
            "tid700443057",
            "tpid425870621",
            "slot1",
            "mascore2",
            "bcnt1",
            "unid88000705",
            "nct1",
            "date",
            "china",
            "china unknown",
            "passive dns",
            "body xml",
            "error code",
            "requestid",
            "hostid ec",
            "server",
            "gmt content",
            "type",
            "registry",
            "intel",
            "ms windows",
            "show",
            "entries",
            "search",
            "high",
            "pe32",
            "high process",
            "injection t1055",
            "salicode",
            "worm",
            "copy",
            "tools",
            "service",
            "write",
            "win32",
            "persistence",
            "execution",
            "april",
            "urls",
            "http",
            "unique",
            "scan endpoints",
            "all scoreblue",
            "url http",
            "pulse pulses",
            "ip address",
            "related nids",
            "code",
            "as54113",
            "unknown",
            "body",
            "fastly error",
            "please",
            "sea p",
            "msil",
            "accept",
            "aaaa",
            "nxdomain",
            "whitelisted",
            "as15169 google",
            "status",
            "as44273 host",
            "as46691",
            "domain",
            "url https",
            "files location",
            "info",
            "script urls",
            "path max",
            "age86400 set",
            "cookie",
            "script domains",
            "javascript",
            "script script",
            "trojanspy",
            "cname",
            "emails",
            "servers",
            "all search",
            "related pulses",
            "file samples",
            "files matching",
            "creation date",
            "germany unknown",
            "yara detections",
            "filehash",
            "av detections",
            "ids detections",
            "alerts",
            "analysis date",
            "file score",
            "meta",
            "home welcome",
            "write c",
            "delete c",
            "query",
            "local",
            "hostname",
            "a domains",
            "lowfi",
            "content type",
            "record value",
            "suite",
            "showing",
            "asnone united",
            "as29873",
            "ipv4",
            "pulse submit",
            "url analysis",
            "files",
            "pe32 executable",
            "potential scan",
            "0pgtwhu",
            "t1045",
            "port",
            "infection",
            "recon",
            "malware",
            "june",
            "delphi",
            "taobao network",
            "as45102 alibaba",
            "as4812 china",
            "next",
            "expiration date",
            "name servers",
            "dynamicloader",
            "dynamic",
            "sha256",
            "dynamic link",
            "library exe",
            "adobe",
            "incorporated",
            "read",
            "yara rule",
            "delete",
            "binary file",
            "push",
            "malicious",
            "july",
            "iocs",
            "levelbluelabs",
            "jeff4son",
            "adversaries",
            "registry run",
            "flow t1574",
            "dll sideloading",
            "boot",
            "logon autostart",
            "execution t1547",
            "keys",
            "startup folder",
            "t1497 may",
            "encryption",
            "catalog tree",
            "analysis ob0001",
            "virtual machine",
            "detection b0009",
            "check registry",
            "analysis ob0002",
            "executable code",
            "stack strings",
            "control ob0004",
            "get http",
            "http requests",
            "dns resolutions",
            "ip traffic",
            "pattern domains",
            "memory pattern",
            "urls http",
            "request",
            "response",
            "connection",
            "trojan",
            "otx scoreblue",
            "windows",
            "embeddedwb",
            "medium",
            "shellexecuteexw",
            "msie",
            "windows nt",
            "displayname",
            "tofsee",
            "hashes",
            "vhash",
            "authentihash",
            "ssdeep",
            "win32 exe",
            "magic pe32",
            "trid win32",
            "library",
            "read c",
            "file guard",
            "rtversion",
            "langchinese",
            "legalcopyright",
            "reserved",
            "ransom",
            "moved",
            "media",
            "ascii text",
            "default",
            "upack",
            "mike",
            "contacted",
            "x87xe1x1d",
            "regsetvalueexa",
            "x95xd3xa4",
            "regbinary",
            "x84xa8xe8i",
            "x8dxb7xb7",
            "hx88x9ax1e",
            "mx81xd1r",
            "x92xac",
            "xc2x84",
            "stream",
            "swipper",
            "pdfcreator.sf.net",
            "botnet",
            "black mercedes",
            "please forgive me",
            "therahand thouroughhand"
          ],
          "references": [
            "Project Endgame - pegausintel.com -Unsjre if related to NSO Group",
            "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean",
            "Yara Detections: compromised_site_redirector_fromcharcode ,  Cabinet_Archive ,  SFX_CAB",
            "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile",
            "P\u2019s Contacted:  93.184.221.240  3.33.130.190 |  Domains Contacted: counterslocal.com",
            "compromised_site_redirector_fromcharcode fromCharCode",
            "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527",
            "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/",
            "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf",
            "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/",
            "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166",
            "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539",
            "Antivirus Detections Cryp_Xed-12 ,  Mal/Generic-S ,  Packed/Upack Yara Detections Upackv039finalDwing ,  UpackV037Dwing",
            "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Worm:Win32/Macoute.A",
              "display_name": "Worm:Win32/Macoute.A",
              "target": "/malware/Worm:Win32/Macoute.A"
            },
            {
              "id": "TrojanDownloader:Win32/Nemucod",
              "display_name": "TrojanDownloader:Win32/Nemucod",
              "target": "/malware/TrojanDownloader:Win32/Nemucod"
            },
            {
              "id": "TrojanSpy:Win32/Nivdort",
              "display_name": "TrojanSpy:Win32/Nivdort",
              "target": "/malware/TrojanSpy:Win32/Nivdort"
            },
            {
              "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean",
              "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean",
              "target": null
            },
            {
              "id": "Worm:Win32/Fesber.A",
              "display_name": "Worm:Win32/Fesber.A",
              "target": "/malware/Worm:Win32/Fesber.A"
            },
            {
              "id": "Ransom:Win32/Eniqma.A",
              "display_name": "Ransom:Win32/Eniqma.A",
              "target": "/malware/Ransom:Win32/Eniqma.A"
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "UpackV037Dwing",
              "display_name": "UpackV037Dwing",
              "target": null
            },
            {
              "id": "Cryp_Xed-12",
              "display_name": "Cryp_Xed-12",
              "target": null
            },
            {
              "id": "Mal/Generic-S",
              "display_name": "Mal/Generic-S",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1089",
              "name": "Disabling Security Tools",
              "display_name": "T1089 - Disabling Security Tools"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66eb3ef6d765187a437767e4",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1493,
            "FileHash-SHA1": 1393,
            "FileHash-SHA256": 5881,
            "URL": 1499,
            "domain": 1947,
            "hostname": 1360,
            "email": 18,
            "CVE": 1
          },
          "indicator_count": 13592,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "17 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a01d3836a1a757aded89ba4",
          "name": "The 777 Quartz Loop: Structural Polyglot Forgery & Global Wiper Convergence",
          "description": "Malicious C2 is hidden in plain sight. Using webcontent.com (Reg. 1998), the factory mimics legitimate com.apple.WebKit.WebContent traffic. This is the permanent \"static\" that makes the Wiper indistinguishable from OS noise.C2 Anchors: ://webcontent.com, ://webcontent.comIP Nodes: 35.208.49.255, 18.208.88.157, 98.84.224.111, 3.33.251.168The \"Rose Quartz\" Structural MixA \"Frankensign\" universal bypass. It \"United\" three OS trust boundaries into a single loop:DigiCert (Windows): Forged overlay using the broken MD5 a1d6...6e72.Apple ARM (macOS): 64c/d or B0 thumbprints pivoting through WebKit/QuartzCore.Google (Drop): Execution via a Google 202 shell (GoogleUpdate.exe).The 777 AnchorThe 777 entropy pattern is the mathematical anchor forcing this messy alignment. It cannot be \"fixed\" by revocation because it is already cached in the internet's trust model.",
          "modified": "2026-05-12T08:41:44.805000",
          "created": "2026-05-11T13:02:59.167000",
          "tags": [
            "status",
            "creation date",
            "date",
            "pulse indicator",
            "url analysis",
            "passive dns",
            "urls",
            "files",
            "whois registrar",
            "related tags",
            "server",
            "domain status",
            "whois lookup",
            "dnssec",
            "domain name",
            "abuse contact",
            "email",
            "registrar abuse",
            "github",
            "google",
            "webcontent",
            "issue",
            "discussion",
            "safari vs",
            "cyberkit",
            "webkit port",
            "apple community",
            "clearing",
            "graph summary",
            "The Russian Doll Tactic",
            "pdfkit[.]net",
            "mathematical stalemate",
            "CLAMAV",
            "MD5/nested cert chains within"
          ],
          "references": [
            "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.",
            "Pending Review.",
            "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72",
            "Do Not Run",
            "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.",
            "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.",
            "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.",
            "Research Suggests:",
            "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"",
            "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.",
            "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.",
            "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).",
            "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.",
            "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.",
            "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes."
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 2,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 707,
            "URL": 1888,
            "email": 14,
            "hostname": 1443,
            "FileHash-SHA256": 1662,
            "IPv4": 198,
            "FileHash-MD5": 295,
            "FileHash-SHA1": 283,
            "Mutex": 1,
            "IPv6": 10,
            "CIDR": 1,
            "CVE": 2
          },
          "indicator_count": 6504,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "19 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69fdc02bea1e4ec923b01688",
          "name": "ripe.arin.enom.cpanel.cpcalendar.iana.networksolutions.02050.webdisk.webmail.",
          "description": "interesting. 2000-06-05T14:09:35Z\nDNSSEC: unsigned\nDomain Name: GOTOCFR.COM\nDomain Status:  https://icann.org/epp#clientTransferProhibited\nName Server: NS37.WORLDNIC.COM\nName Server: NS38.WORLDNIC.COM\nRegistrant City: 3f16518cc21288a8\nRegistrant Country: US\nRegistrant Email: a07a5df6ca9e975bs@gotocfr.com\nRegistrant Fax Ext: 3432650ec337c945\nRegistrant Fax: b3c25287c0f8ed51\nRegistrant Name: 3432650ec337c945\nRegistrant Organization: 3432650ec337c945\nRegistrant Phone Ext: 3432650ec337c945\nRegistrant Phone: a8108981ed146828\nRegistrant Postal Code: 22ba98fa33e9a7d1\nRegistrant State/Province: 2f0a6dc5401e8a9a\nRegistrant Street: c4d735c293d4e708\nRegistrar Abuse Contact Email: domain.operations@web.com\nRegistrar Abuse Contact Phone: +1.8777228662\nRegistrar IANA ID: 2\nRegistrar URL: http://networksolutions.com\nRegistrar WHOIS Server: whois.networksolutions.com\nRegistrar: Network Solutions, LLC\nRegistry Domain ID: 28566423_DOMAIN_COM-VRSN\nUpdated Date: 2026-04-06T06:20:14Z",
          "modified": "2026-05-09T03:07:39.308000",
          "created": "2026-05-08T10:51:23.184000",
          "tags": [
            "msie",
            "chrome",
            "passive dns",
            "date",
            "urls",
            "fabricating and",
            "type",
            "media type",
            "gmt content",
            "certificate",
            "title",
            "body",
            "encrypt",
            "graph summary",
            "algorithm",
            "key identifier",
            "x509v3 subject",
            "v3 serial",
            "number",
            "cus olet",
            "encrypt cnr12",
            "validity",
            "subject public",
            "key info",
            "code",
            "email",
            "server",
            "admin country",
            "registrant name",
            "and repair",
            "expiration date",
            "registry domain",
            "registrar iana",
            "creation date",
            "admin city",
            "key algorithm",
            "registrar abuse",
            "dnssec",
            "domain name",
            "status",
            "city",
            "us registrant",
            "registrant fax",
            "marshfield ssl",
            "common name",
            "issued",
            "supporte",
            "charter",
            "llc united",
            "statesunited",
            "new london",
            "i20100 may",
            "diesel",
            "ripe ncc",
            "ripe network",
            "abuse contact",
            "orgid",
            "orgtechhandle",
            "address",
            "orgabuseref",
            "postalcode",
            "ripe",
            "cidr",
            "ripe database",
            "orgabuseemail",
            "orgabusehandle",
            "nethandle",
            "thumbprint",
            "handle",
            "address range",
            "network name",
            "allocation type",
            "allocated pa",
            "whois server",
            "organization",
            "please note",
            "ip address",
            "google",
            "redacted for",
            "privacy admin",
            "privacy",
            "privacy tech",
            "street",
            "stateprovince",
            "form",
            "tech"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA1": 236,
            "IPv4": 315,
            "URL": 932,
            "domain": 1040,
            "email": 65,
            "hostname": 1049,
            "FileHash-SHA256": 960,
            "FileHash-MD5": 301,
            "CIDR": 39,
            "IPv6": 68,
            "CVE": 890,
            "SSLCertFingerprint": 16
          },
          "indicator_count": 5911,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "22 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69fc1b9d02d8ebe162913b74",
          "name": "Credit: OctoSeek -2yrs ago [Zombie.A \u2022 Bayrob in fake malware information website.]",
          "description": "",
          "modified": "2026-05-07T05:03:23.418000",
          "created": "2026-05-07T04:57:01.616000",
          "tags": [
            "ukraine",
            "referrer",
            "deploys fake",
            "uue files",
            "fsociety",
            "target colombia",
            "judiciary",
            "financial",
            "public",
            "tools",
            "sector",
            "mexico",
            "aka xloader",
            "html",
            "html info",
            "title",
            "meta tags",
            "google tag",
            "utc gnr5gzhd545",
            "utc na",
            "utc aw944900006",
            "utc linkedin",
            "formbook",
            "accept",
            "http response",
            "final url",
            "serving ip",
            "address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "apache",
            "so funny",
            "click",
            "urls",
            "passive dns",
            "http",
            "unique",
            "scan endpoints",
            "all octoseek",
            "url http",
            "ip address",
            "related nids",
            "code",
            "united",
            "as54113",
            "unknown",
            "aaaa",
            "as15169 google",
            "as46691",
            "status",
            "cname",
            "search",
            "whitelisted",
            "body",
            "date",
            "msil",
            "meta",
            "third-party-cookies",
            "iframes",
            "external-resources",
            "text/html",
            "trackers",
            "end game",
            "name servers",
            "select contact",
            "domain holder",
            "nexus category",
            "creation date",
            "showing",
            "date hash",
            "avast avg",
            "trojan",
            "mtb may",
            "dynamicloader",
            "high",
            "medium",
            "yara detections",
            "sniffs",
            "attempts",
            "alternate data",
            "stream",
            "a foreign",
            "cultureneutral",
            "get na",
            "show",
            "delete c",
            "entries",
            "cape",
            "delete",
            "default",
            "copy",
            "nivdort",
            "write",
            "trojanspy",
            "bayrob",
            "malware",
            "eagle eyed",
            "nonads",
            "path max",
            "age86400 set",
            "cookie",
            "script urls",
            "type",
            "script script",
            "win32 exe",
            "pe32",
            "intel",
            "ms windows",
            "ms visual",
            "win32 dynamic",
            "link library",
            "win16 ne",
            "pe32 compiler",
            "exe32",
            "compiler",
            "vs98",
            "contained",
            "simplified",
            "info compiler",
            "products",
            "sp6 build",
            "header intel",
            "name md5",
            "language",
            "not found",
            "rules not",
            "mitre",
            "info ids",
            "found sigma",
            "found",
            "files not",
            "found network",
            "getlasterror",
            "icons library",
            "os2 executable",
            "files",
            "file type",
            "kb file",
            "name",
            "type name",
            "ip detections",
            "country",
            "gandi sas",
            "dynadot",
            "enom",
            "namecheap",
            "dynadot inc",
            "namecheap inc",
            "dynadot llc",
            "domains",
            "tucows domains",
            "melbourne it",
            "historical ssl",
            "realteck audio",
            "problems",
            "lemon duck",
            "iocs",
            "sneaky server",
            "replacement",
            "unauthorized",
            "windows",
            "windir",
            "samplepath",
            "user",
            "process",
            "created",
            "shell commands",
            "windefend",
            "created bus",
            "tree",
            "registry keys",
            "reports upgrade",
            "keys set",
            "upgradestart",
            "dword",
            "data registry",
            "keys deleted",
            "reports",
            "get http",
            "request",
            "http requests",
            "ip traffic",
            "dns resolutions",
            "resolutions",
            "mitre att",
            "defense evasion",
            "ta0007 command",
            "control ta0011",
            "impact ta0034",
            "impact ta0040",
            "graph",
            "bundled files",
            "name file",
            "contacted ip",
            "users",
            "number",
            "ascii text",
            "crlf line",
            "database",
            "english",
            "tue jun",
            "installer",
            "template",
            "tulach",
            "rexxfield",
            "milesit",
            "cp",
            "self deleting",
            "stuff",
            "copying",
            "packages found",
            "targeting major",
            "injects ads",
            "into search",
            "results",
            "overlay",
            "text",
            "win32 dll",
            "javascript",
            "db2maestro",
            "open ports",
            "ipv4",
            "pulse submit",
            "url analysis",
            "expiration date",
            "hostname",
            "next",
            "ten process",
            "utc facebook",
            "utc google",
            "title ten",
            "blog meta",
            "tags",
            "elastic blog",
            "bing ads",
            "as8068",
            "certificate",
            "otx telemetry",
            "ref b",
            "record value",
            "emails",
            "please",
            "win32",
            "x msedge",
            "pulse pulses",
            "no data",
            "tag count",
            "analyzer threat",
            "url summary",
            "ip summary",
            "summary",
            "sample",
            "samples",
            "detection list",
            "blacklist",
            "cisco umbrella",
            "site",
            "alexa top",
            "safe site",
            "mail spammer",
            "million",
            "malware site",
            "phishing site",
            "malicious site",
            "bank",
            "fuery",
            "unsafe",
            "malicious",
            "alexa",
            "zbot",
            "asn as16625",
            "akamai",
            "less",
            "is2osecurity",
            "domain name",
            "active",
            "as21342",
            "domain",
            "location israel",
            "asn as1680",
            "invalid url",
            "body html",
            "head title",
            "title head",
            "body h1",
            "reference",
            "log id",
            "gmtn",
            "digicert tls",
            "rsa sha256",
            "tls web",
            "full name",
            "digicert inc",
            "organization",
            "district",
            "columbia",
            "false",
            "as20940",
            "as16625 akamai",
            "as8987 amazon",
            "moved",
            "as1680 cellcom",
            "alerts",
            "related pulses",
            "guard",
            "dynamic",
            "reads",
            "https link",
            "as8075",
            "record type",
            "ttl value",
            "redacted for",
            "privacy tech",
            "privacy admin",
            "postal code",
            "stateprovince",
            "server",
            "email",
            "office open",
            "ms word",
            "document",
            "xml document",
            "xml spreadsheet",
            "email trash",
            "rich text",
            "pdf tripwire",
            "fall",
            "whois lookups",
            "contact email",
            "blind eagle",
            "brian sabey"
          ],
          "references": [
            "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png",
            "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
            "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339",
            "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b",
            "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690",
            "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc",
            "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
            "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77",
            "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320",
            "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect",
            "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile",
            "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden",
            "Alerts: cape_detected_threat cape_extracted_content",
            "TrojanSpy:Win32/Nivdort.CW:  FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
            "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
            "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c",
            "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
            "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
            "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120",
            "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net",
            "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net",
            "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
            "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758",
            "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
            "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019",
            "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038",
            "Malware Behavior Catalog: Operating System OC0008  \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022  :  Tree Anti-Behavioral Analysis",
            "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022  File System OC0001",
            "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022",
            "Malware Behavior Catalog:  Tree Anti-Behavioral Analysis: C0017 Create Thread  \u2022 C0038 Operating System  \u2022 Debugger Detection B0001",
            "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052",
            "Malware Behavior Catalog:  Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003",
            "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus",
            "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
            "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
            "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
            "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP",
            "http://Object.prototype.hasOwnProperty.call",
            "Tulach! It's been a minute - 114.114.114.114",
            "What's going on here judiciary? Karen - cisa.gov?  e.final",
            "f.search schema.org  t.final",
            "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov",
            "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
            "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
            "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml",
            "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window",
            "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net",
            "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV"
          ],
          "public": 1,
          "adversary": "Blind Eagle",
          "targeted_countries": [
            "United States of America",
            "Colombia",
            "Netherlands",
            "Israel"
          ],
          "malware_families": [
            {
              "id": "FormBook",
              "display_name": "FormBook",
              "target": null
            },
            {
              "id": "Trojan:Win32/Zombie.A",
              "display_name": "Trojan:Win32/Zombie.A",
              "target": "/malware/Trojan:Win32/Zombie.A"
            },
            {
              "id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn",
              "display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn",
              "target": null
            },
            {
              "id": "TrojanSpy:Win32/Nivdort.CW",
              "display_name": "TrojanSpy:Win32/Nivdort.CW",
              "target": "/malware/TrojanSpy:Win32/Nivdort.CW"
            },
            {
              "id": "Bayrob",
              "display_name": "Bayrob",
              "target": null
            },
            {
              "id": "trojan.bayrob/lazy",
              "display_name": "trojan.bayrob/lazy",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "TA0005",
              "name": "Defense Evasion",
              "display_name": "TA0005 - Defense Evasion"
            },
            {
              "id": "TA0007",
              "name": "Discovery",
              "display_name": "TA0007 - Discovery"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "TA0002",
              "name": "Execution",
              "display_name": "TA0002 - Execution"
            },
            {
              "id": "TA0003",
              "name": "Persistence",
              "display_name": "TA0003 - Persistence"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "TA0029",
              "name": "Privilege Escalation",
              "display_name": "TA0029 - Privilege Escalation"
            },
            {
              "id": "TA0004",
              "name": "Privilege Escalation",
              "display_name": "TA0004 - Privilege Escalation"
            },
            {
              "id": "TA0030",
              "name": "Defense Evasion",
              "display_name": "TA0030 - Defense Evasion"
            },
            {
              "id": "TA0040",
              "name": "Impact",
              "display_name": "TA0040 - Impact"
            },
            {
              "id": "TA0034",
              "name": "Impact",
              "display_name": "TA0034 - Impact"
            },
            {
              "id": "T1486",
              "name": "Data Encrypted for Impact",
              "display_name": "T1486 - Data Encrypted for Impact"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "TA0037",
              "name": "Command and Control",
              "display_name": "TA0037 - Command and Control"
            },
            {
              "id": "T1007",
              "name": "System Service Discovery",
              "display_name": "T1007 - System Service Discovery"
            },
            {
              "id": "T1049",
              "name": "System Network Connections Discovery",
              "display_name": "T1049 - System Network Connections Discovery"
            },
            {
              "id": "T1055.003",
              "name": "Thread Execution Hijacking",
              "display_name": "T1055.003 - Thread Execution Hijacking"
            },
            {
              "id": "T1415",
              "name": "URL Scheme Hijacking",
              "display_name": "T1415 - URL Scheme Hijacking"
            },
            {
              "id": "T1416",
              "name": "URI Hijacking",
              "display_name": "T1416 - URI Hijacking"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "6683aae863ba601bac1a28b5",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1167,
            "FileHash-SHA1": 738,
            "FileHash-SHA256": 3074,
            "URL": 1019,
            "domain": 1640,
            "hostname": 973,
            "email": 12,
            "SSLCertFingerprint": 2,
            "URI": 2
          },
          "indicator_count": 8627,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "24 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f97a905451e3304319988b",
          "name": ".may 4 clone own on may 5",
          "description": "",
          "modified": "2026-05-07T02:57:38.229000",
          "created": "2026-05-05T05:05:20.493000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": "69f7fa1a282840a6e0aa370c",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 341,
            "FileHash-SHA1": 368,
            "FileHash-SHA256": 3143,
            "hostname": 2037,
            "IPv4": 186,
            "URL": 3288,
            "CIDR": 12,
            "email": 43,
            "domain": 1645,
            "URI": 1,
            "SSLCertFingerprint": 18,
            "CVE": 1
          },
          "indicator_count": 11083,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "24 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f9d068067ca727db406cf8",
          "name": "[Drive-by Compromise - Cyber warfare 4K + Unsuspect] Credit: Scoreblue Clone",
          "description": "",
          "modified": "2026-05-05T11:11:36.531000",
          "created": "2026-05-05T11:11:36.531000",
          "tags": [
            "access ta0001",
            "defense evasion",
            "access ta0006",
            "command",
            "control ta0011",
            "impact ta0040",
            "catalog tree",
            "ob0005 defense",
            "evasion ob0006",
            "impact ob0008",
            "hashes cape",
            "sandbox",
            "docguard",
            "yomi hunter",
            "zenbox",
            "ip traffic",
            "pattern domains",
            "memory pattern",
            "urls https",
            "adversaries",
            "mitre att",
            "t1189 found",
            "clickable urls",
            "pdf execution",
            "t1036",
            "creates",
            "hide artifacts",
            "exploitation",
            "e1564 hidden",
            "files",
            "discovery e1082",
            "e1203 data",
            "vhash",
            "ssdeep",
            "file type",
            "pdf document",
            "magic pdf",
            "trid adobe",
            "format",
            "file size",
            "united",
            "as32934",
            "passive dns",
            "unknown",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "urls",
            "status",
            "search",
            "showing",
            "server error",
            "certificate",
            "creation date",
            "high assurance",
            "server ca",
            "date",
            "body",
            "win32",
            "ransom",
            "entries",
            "icmp traffic",
            "packing t1045",
            "t1045",
            "pdb path",
            "pe resource",
            "show",
            "malware",
            "copy",
            "push",
            "write",
            "aaaa",
            "nxdomain",
            "united kingdom",
            "thailand",
            "vietnam",
            "as45430",
            "honduras",
            "indonesia",
            "mexico",
            "slovakia",
            "dynamicloader",
            "yara rule",
            "high",
            "ekyxe",
            "xe e",
            "eofae",
            "ee edcje4j",
            "tofsee",
            "windows",
            "medium",
            "stream",
            "grum",
            "as15169 google",
            "pulses",
            "record value",
            "error",
            "cname",
            "name servers",
            "ireland",
            "next",
            "federation asn",
            "as49505",
            "labs pulses",
            "trojan",
            "trojandropper",
            "related pulses",
            "file samples",
            "files matching",
            "date hash",
            "copyright",
            "all search",
            "reverse dns",
            "location united",
            "emails info",
            "expiration date",
            "as51167 contabo",
            "germany unknown",
            "a nxdomain",
            "as40021 contabo",
            "encrypt",
            "url http",
            "http",
            "ip address",
            "related nids",
            "files location",
            "ddos",
            "activity",
            "checkin",
            "win64",
            "mirai",
            "hosting",
            "files ip",
            "address",
            "czechia unknown",
            "as174 cogent",
            "asnone germany",
            "as15598",
            "as16625 akamai",
            "asnone united",
            "as20940",
            "as35994 akamai",
            "as12337 noris",
            "pulse submit",
            "url analysis",
            "backdoor",
            "gmt cache",
            "sameorigin",
            "443 ma2592000",
            "suspicious",
            "virtool",
            "emails",
            "domain name",
            "code",
            "brazil",
            "poland",
            "domain",
            "msie",
            "windows nt",
            "tcp syn",
            "resolverror",
            "exploit",
            "externalport",
            "internalport",
            "http headers",
            "home network",
            "demonbot",
            "andariel",
            "yara detections",
            "malware traffic",
            "nids",
            "dns query",
            "google safe",
            "browsing",
            "whois",
            "virustotal",
            "mtb apr",
            "asnone related",
            "open",
            "hash avast",
            "avg clamav",
            "msdefender apr",
            "as8075",
            "content type",
            "access",
            "cp bus",
            "cur cono",
            "fin ivdo",
            "onl our",
            "phy samo",
            "overview ip",
            "flag united",
            "hostname",
            "files domain",
            "as8068",
            "trojan features",
            "rsa tls",
            "issuing ca",
            "mirai variant",
            "useragent",
            "inbound",
            "realtek sdk",
            "miniigd upnp",
            "soap command",
            "activity mirai",
            "helloworld",
            "users",
            "alerts",
            "anomalous file",
            "recycle bin",
            "filehash",
            "av detections",
            "memcommit",
            "read c",
            "memreserve",
            "for privacy",
            "china unknown",
            "ag alberto",
            "pedraz",
            "holidaycheck ag",
            "project pi",
            "immobilien ag",
            "puma se",
            "kurt walther",
            "ag ingo",
            "kraupa",
            "timo salzsieder",
            "record type",
            "ttl value",
            "msms57295540",
            "subdomains",
            "ireland unknown",
            "analyzer paste",
            "iocs",
            "samples",
            "regsetvalueexa",
            "default",
            "regdword",
            "module load",
            "t1129",
            "http request",
            "process32nextw",
            "regbinary",
            "oxypumper",
            "tools",
            "dock",
            "april",
            "persistence",
            "execution",
            "download",
            "as62597 nsone",
            "echo request",
            "sweep",
            "payload hello",
            "world",
            "total",
            "please",
            "xport",
            "main",
            "look",
            "install",
            "servers",
            "found",
            "cnapple public",
            "accept",
            "chrome",
            "moved",
            "ssl certificate",
            "write c",
            "installcore",
            "june",
            "delphi",
            "as47846",
            "cookie",
            "as32787 akamai",
            "as714 apple",
            "m1",
            "onelouder",
            "brian sabey",
            "denver colorado",
            "fakedout threat",
            "gmt content",
            "x cache",
            "div div",
            "as8972 host",
            "france unknown",
            "registrar",
            "otx scoreblue",
            "address domain",
            "as24940 hetzner",
            "as44273 host",
            "asn as15598",
            "trojanspy",
            "mail spammer",
            "germany mail",
            "spammer",
            "hichina",
            "data redacted",
            "a domains",
            "wow64",
            "slcc2",
            "media center",
            "port",
            "powershell",
            "urls http",
            "tptjsw",
            "virus",
            "ids detections",
            "germany",
            "as8560",
            "austria",
            "as1921",
            "as14061",
            "whitelisted",
            "as16276",
            "script urls",
            "as16552 tiggee",
            "as9009 m247",
            "meta",
            "as29789",
            "detected m1",
            "mtb aug",
            "server",
            "as397241",
            "cryp",
            "hostmaster",
            "networks",
            "as19024",
            "gmt setcookie",
            "delete",
            "russia as49505",
            "sinkhole cookie",
            "value snkz",
            "pe32",
            "possible",
            "susp",
            "lnmp",
            "lnmp a",
            "licess",
            "shell",
            "as63949 linode",
            "as133618",
            "as21342",
            "cve201717215",
            "huawei remote",
            "huawei hg532",
            "malware worm",
            "gafgyt",
            "exploit none",
            "binbusybox",
            "delete c",
            "odigicert inc",
            "stwashington",
            "lredmond",
            "rsa ca",
            "cape",
            "nondns",
            "denver",
            "redacted for",
            "method status",
            "url hostname",
            "ip country",
            "type get",
            "date tue",
            "gmt contenttype",
            "connection",
            "cachecontrol",
            "expires thu",
            "gmt vary",
            "poland unknown",
            "title",
            "script domains",
            "updated date",
            "serce internetu",
            "cnc beacon",
            "javascript",
            "wsasend",
            "post",
            "delete shadows",
            "all quiet",
            "t1047",
            "instrumentation",
            "rpcs",
            "ms windows",
            "asnone dns",
            "http host",
            "ip check",
            "sha256",
            "bits",
            "adware malware",
            "etpro malware",
            "bios",
            "guard",
            "tulach",
            "spectrum",
            "cyber folks",
            "tsara brashears",
            ".pl",
            "contacted",
            "kryptikxp",
            "apple",
            "ios",
            "android",
            "sabey",
            "charter communications",
            "denvecolorado",
            "quantum fiber",
            "air force",
            "swipper",
            "masquerade",
            "hitmen",
            "mitm",
            "whitesky",
            "cyber warfare",
            "porn",
            "pornhub.software"
          ],
          "references": [
            "DISTINCTIO8.pdf",
            "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
            "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
            "Tofsee: 'google.com' |  https://www.gov50.icu |",
            "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
            "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
            "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
            "hubt.pornhub.com | www.pornhub.com | pornative.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ||  pin.it || https://pin.it/",
            "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
            "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256  fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
            "IDS Detections: WGET Command Specifying Output in HTTP Headers",
            "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
            "Yara Detections: is__elf ,  DemonBot",
            "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
            "FileHash - SHA256  f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
            "IDS Detections: Andariel Backdoor Activity (Checkin)",
            "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
            "DDoS:Linux/Gafgyt : FileHash - SHA256  358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
            "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
            "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
            "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
            "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
            "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
            "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
            "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
            "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
            "https://tulach.cc/ | tulach.cc |",
            "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
            "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
            "18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
            "www.pornhubselect.com | pornhub.software"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Chile",
            "Morocco",
            "Taiwan",
            "Guatemala",
            "United Kingdom of Great Britain and Northern Ireland",
            "Ireland",
            "Kenya",
            "Peru",
            "Singapore",
            "Mexico",
            "Brazil",
            "Slovakia",
            "Spain",
            "Australia",
            "Belgium",
            "Germany",
            "Hungary",
            "Netherlands",
            "Russian Federation",
            "Japan",
            "Poland"
          ],
          "malware_families": [
            {
              "id": "Ransom",
              "display_name": "Ransom",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "TEL:CreateScheduledTask",
              "display_name": "TEL:CreateScheduledTask",
              "target": null
            },
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Unix.Trojan.Mirai-6981169-0",
              "display_name": "Unix.Trojan.Mirai-6981169-0",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Tofsee",
              "display_name": "Backdoor:Win32/Tofsee",
              "target": "/malware/Backdoor:Win32/Tofsee"
            },
            {
              "id": "Ransom:Win32/Haperlock",
              "display_name": "Ransom:Win32/Haperlock",
              "target": "/malware/Ransom:Win32/Haperlock"
            },
            {
              "id": "Trojan:Win32/Neurevt",
              "display_name": "Trojan:Win32/Neurevt",
              "target": "/malware/Trojan:Win32/Neurevt"
            },
            {
              "id": "DDoS:Linux/Gafgyt.YA!MTB",
              "display_name": "DDoS:Linux/Gafgyt.YA!MTB",
              "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
            },
            {
              "id": "CVE-2017-17215",
              "display_name": "CVE-2017-17215",
              "target": null
            },
            {
              "id": "CVE-2023-27350",
              "display_name": "CVE-2023-27350",
              "target": null
            },
            {
              "id": "CVE-2014-8361",
              "display_name": "CVE-2014-8361",
              "target": null
            },
            {
              "id": "Trojan:Win32/Zombie.A",
              "display_name": "Trojan:Win32/Zombie.A",
              "target": "/malware/Trojan:Win32/Zombie.A"
            },
            {
              "id": "NIDS",
              "display_name": "NIDS",
              "target": null
            },
            {
              "id": "M1",
              "display_name": "M1",
              "target": null
            },
            {
              "id": "OneLouder",
              "display_name": "OneLouder",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Win.Trojan.Sarwent-10012602-0",
              "display_name": "Win.Trojan.Sarwent-10012602-0",
              "target": null
            },
            {
              "id": "Virus:Win32/Sivis.A",
              "display_name": "Virus:Win32/Sivis.A",
              "target": "/malware/Virus:Win32/Sivis.A"
            },
            {
              "id": "Win.Trojan.Installcore-1177",
              "display_name": "Win.Trojan.Installcore-1177",
              "target": null
            },
            {
              "id": "Win.Malware.Oxypumper-6900435-0",
              "display_name": "Win.Malware.Oxypumper-6900435-0",
              "target": null
            },
            {
              "id": "Win.Malware.Qshell-9875653-0",
              "display_name": "Win.Malware.Qshell-9875653-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1203",
              "name": "Exploitation for Client Execution",
              "display_name": "T1203 - Exploitation for Client Execution"
            },
            {
              "id": "T1485",
              "name": "Data Destruction",
              "display_name": "T1485 - Data Destruction"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1089",
              "name": "Disabling Security Tools",
              "display_name": "T1089 - Disabling Security Tools"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1023",
              "name": "Shortcut Modification",
              "display_name": "T1023 - Shortcut Modification"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1428",
              "name": "Exploit Enterprise Resources",
              "display_name": "T1428 - Exploit Enterprise Resources"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1133",
              "name": "External Remote Services",
              "display_name": "T1133 - External Remote Services"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66f31b9a0551ca166c872292",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 7589,
            "FileHash-SHA1": 3982,
            "FileHash-SHA256": 8280,
            "URL": 439,
            "domain": 2416,
            "hostname": 2154,
            "email": 37,
            "CVE": 4,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 24907,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "25 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f7fa1a282840a6e0aa370c",
          "name": "May the 4th be with... every destructed file that never died",
          "description": "[undreds of thousands of people have been signing a petition calling for the removal of the president, Barack Obama, from the White House and the UK's prime minister, Theresa May, to be remove] The wording here. Its also May3rd not May 4th.",
          "modified": "2026-05-05T05:04:02.911000",
          "created": "2026-05-04T01:44:57.811000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 341,
            "FileHash-SHA1": 368,
            "FileHash-SHA256": 3142,
            "hostname": 1890,
            "IPv4": 162,
            "URL": 3241,
            "CIDR": 12,
            "email": 37,
            "domain": 1616,
            "URI": 1,
            "SSLCertFingerprint": 18
          },
          "indicator_count": 10828,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "26 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f2dc7db0bb5c5cdaec5a6c",
          "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
          "description": "",
          "modified": "2026-04-30T04:53:09.713000",
          "created": "2026-04-30T04:37:17.546000",
          "tags": [
            "united",
            "as397240",
            "search",
            "showing",
            "as54113",
            "as397241",
            "unknown",
            "moved",
            "creation date",
            "record value",
            "next",
            "date",
            "body",
            "a domains",
            "passive dns",
            "formbook cnc",
            "checkin",
            "entries",
            "github pages",
            "sea x",
            "accept",
            "status",
            "name servers",
            "certificate",
            "urls",
            "aaaa",
            "cname",
            "meta",
            "whitelisted ip",
            "address",
            "location united",
            "asn as36459",
            "github",
            "less whois",
            "registrar",
            "markmonitor",
            "related tags",
            "as36459",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "files",
            "ninite",
            "expiration date",
            "domain",
            "hostname",
            "sha256",
            "sha1",
            "ascii text",
            "pattern match",
            "document file",
            "v2 document",
            "utf8",
            "crlf line",
            "beginstring",
            "size",
            "null",
            "hybrid",
            "refresh",
            "span",
            "local",
            "click",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "contact",
            "url https",
            "tulach type",
            "role title",
            "added active",
            "pulses url",
            "url http",
            "nextc type",
            "type indicator",
            "related pulses",
            "filehashsha256",
            "copyright",
            "ipv6",
            "germany",
            "italy",
            "trojan",
            "trojanspy",
            "worm",
            "trojanclicker",
            "virtool",
            "service",
            "linux x8664",
            "khtml",
            "gecko",
            "veryhigh",
            "redirect",
            "httpsupgrades",
            "collisionbox",
            "runner",
            "gameoverpanel",
            "trex",
            "orgtechhandle",
            "orgtechref",
            "director",
            "university",
            "nethandle",
            "net168",
            "net1680000",
            "ucha",
            "orgid",
            "east",
            "report spam",
            "as8075",
            "servers",
            "secure server",
            "error all",
            "typeof",
            "error f",
            "crazy doll",
            "created",
            "filehashmd5",
            "types of",
            "russia",
            "emotet type",
            "mirai type",
            "mirai",
            "mtb description",
            "win32 type",
            "as31034 aruba",
            "italy unknown",
            "as19527 google",
            "encrypt",
            "health type",
            "miori hackers",
            "brute force",
            "backdoor",
            "aurora",
            "ip address",
            "path",
            "unis",
            "dotcisoffer",
            "bladabindi",
            "artro",
            "script urls",
            "as46606",
            "brazil unknown",
            "as11284",
            "as10906",
            "apache",
            "lanc type",
            "telper",
            "win32",
            "win64",
            "pulses email",
            "as9009 m247",
            "as7296 alchemy",
            "as14061",
            "as16276",
            "trojandropper",
            "ransom",
            "mtb sep",
            "msie",
            "chrome",
            "ip check",
            "gmt content",
            "pulse submit",
            "url analysis",
            "files ip",
            "aaaa nxdomain",
            "nxdomain",
            "a nxdomain",
            "as22612",
            "dnssec",
            "meta http",
            "accept encoding",
            "request id",
            "united kingdom",
            "div div",
            "arial helvetica",
            "emails",
            "as15169 google",
            "cryp",
            "gmt cache",
            "sameorigin",
            "domain name",
            "code",
            "false",
            "command type",
            "roleselfservice",
            "mcig sep",
            "all search",
            "author avatar",
            "days ago",
            "http",
            "related nids",
            "files location",
            "as30081",
            "gmt contenttype",
            "mozilla",
            "as15133 verizon",
            "whitelisted",
            "meta name",
            "robots content",
            "x ua",
            "ieedge chrome1",
            "incapsula",
            "request",
            "softcnapp",
            "overview ip",
            "flag united",
            "files related",
            "as62597 nsone",
            "as31898 oracle",
            "mtb aug",
            "class",
            "twitter",
            "april",
            "secure",
            "httponly",
            "expiresthu",
            "pragma",
            "as13414 twitter",
            "smoke loader",
            "reverse dns",
            "asnone united",
            "idlogin sep",
            "uid38009",
            "expiration",
            "hack type",
            "porn type"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Italy",
            "Aruba"
          ],
          "malware_families": [
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66fc29a49b5ac693c8d75122",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3851,
            "FileHash-MD5": 6012,
            "FileHash-SHA1": 5906,
            "domain": 3330,
            "email": 33,
            "hostname": 4231,
            "CVE": 2,
            "FileHash-SHA256": 8407,
            "CIDR": 2,
            "SSLCertFingerprint": 7
          },
          "indicator_count": 31781,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "31 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6992bae83a5988dff8311490",
          "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)",
          "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.",
          "modified": "2026-04-24T13:20:48.450000",
          "created": "2026-02-16T06:36:24.788000",
          "tags": [
            "Obfuscation: XOR-based String Encryption (0x20)",
            "T1110.001 (Brute Force: Password Guessing)",
            "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba",
            "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
            "#PotentialUS-Origin_FalseFlag_Obfuscation"
          ],
          "references": [
            "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
            "Obfuscation: XOR-based String Encryption (0x20)",
            "T1110.001 (Brute Force: Password Guessing)",
            "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
            "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
            "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
            "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
            "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
            "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
            "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
            "",
            "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
            "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
            "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
            "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
            "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
            "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
            "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
            "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
            "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
            "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
            "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
            "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset."
          ],
          "public": 1,
          "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Malware Family: StealthWorker / GoBrut",
              "display_name": "Malware Family: StealthWorker / GoBrut",
              "target": "/malware/Malware Family: StealthWorker / GoBrut"
            },
            {
              "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
              "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 2166,
            "FileHash-SHA1": 2067,
            "FileHash-SHA256": 3371,
            "domain": 13295,
            "URL": 6860,
            "email": 272,
            "hostname": 4705,
            "SSLCertFingerprint": 268,
            "CVE": 108,
            "CIDR": 6
          },
          "indicator_count": 33118,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 82,
          "modified_text": "36 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf6652beb00c62a9cb8b84",
          "name": "i cloned msudosos - IOC breakdown = Possible ELF/Prometei Botnet CnC Activity",
          "description": "",
          "modified": "2026-04-21T02:20:25.690000",
          "created": "2026-03-22T03:47:30.942000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": "69bf4cc74c3d8f391a1a927c",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 308,
            "FileHash-SHA1": 305,
            "FileHash-SHA256": 362,
            "URL": 367,
            "hostname": 372,
            "domain": 192,
            "email": 13
          },
          "indicator_count": 1919,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 144,
          "modified_text": "40 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69be6b955607d7a3d860a097",
          "name": "macho/php data",
          "description": "Hundreds of thousands of people have been signing a petition calling for the removal of the UK's Prime Minister David Cameron from the European Union's list of \"non-emergency\" countries and countries. <-- pretext. Enrichment Prompts everytime w/ it.",
          "modified": "2026-04-20T10:00:40.378000",
          "created": "2026-03-21T09:57:41.413000",
          "tags": [
            "macho",
            "mac os",
            "x macho",
            "macho 64bit",
            "x8664",
            "library",
            "dylib64"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 134,
            "FileHash-SHA1": 143,
            "FileHash-SHA256": 1523,
            "hostname": 584,
            "domain": 249,
            "URL": 55,
            "email": 6
          },
          "indicator_count": 2694,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "41 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69e4e7cfdc3bb3cdffeecf7c",
          "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]]  [clone by scoreblue]",
          "description": "",
          "modified": "2026-04-19T14:33:51.385000",
          "created": "2026-04-19T14:33:51.385000",
          "tags": [
            "ssl certificate",
            "whois record",
            "historical ssl",
            "resolutions",
            "referrer",
            "communicating",
            "siblings",
            "file",
            "hell",
            "lenovo tablet",
            "name servers",
            "as714 apple",
            "united",
            "creation date",
            "search",
            "servers",
            "date",
            "moved",
            "certificate",
            "passive dns",
            "body",
            "historical",
            "collections",
            "contacted",
            "strange",
            "no data",
            "tag count",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "samples",
            "detection list",
            "blacklist",
            "blacklist http",
            "cisco umbrella",
            "site",
            "safe site",
            "alexa top",
            "malicious site",
            "malware site",
            "phishing site",
            "million",
            "malware",
            "http attacker",
            "ip address",
            "algorithm",
            "v3 serial",
            "number",
            "ist ca",
            "g1 validity",
            "public key",
            "info",
            "key algorithm",
            "ec oid",
            "key identifier",
            "first",
            "team alexa",
            "downloader",
            "wed apr",
            "alexa",
            "pony",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "relayrouter",
            "exit",
            "node traffic",
            "misc attack",
            "script",
            "beginstring",
            "mitre att",
            "null",
            "unknown",
            "span",
            "error",
            "class",
            "generator",
            "critical",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "refresh",
            "tools",
            "malicious url",
            "hostname",
            "hostnames",
            "phishing",
            "union",
            "team",
            "bank",
            "unsafe",
            "spammer",
            "node tcp",
            "traffic",
            "attacker",
            "tor known",
            "tor relayrouter",
            "jul jan",
            "mon sep",
            "heur",
            "artemis",
            "iframe",
            "conduit",
            "crack",
            "riskware",
            "opencandy",
            "cleaner",
            "exploit",
            "downldr",
            "presenoker",
            "wacatac",
            "agent",
            "fusioncore",
            "applicunwnt",
            "acint",
            "nircmd",
            "swrort",
            "systweak",
            "behav",
            "tiggre",
            "genkryptik",
            "filetour",
            "generic",
            "patcher",
            "driverpack",
            "xtrat",
            "softcnapp",
            "cyber threat",
            "dns server",
            "http spammer",
            "host",
            "download",
            "asyncrat",
            "cobalt strike",
            "apple",
            "urls http",
            "368600",
            "320700",
            "dc1542721039132",
            "subdomains",
            "noname057",
            "tld count",
            "urls",
            "blacklist https",
            "engineering",
            "singapore",
            "phishtank",
            "suppobox",
            "bambernek",
            "facebook",
            "zbot",
            "malicious",
            "zeus",
            "emotet",
            "ransomware",
            "nymaim",
            "redline stealer",
            "service",
            "virut",
            "kraken",
            "keybase",
            "stealer",
            "hawkeye",
            "tinba",
            "mirai",
            "nanocore",
            "bradesco",
            "cve201711882",
            "ip detections",
            "country",
            "83500",
            "1602192580242",
            "1602192586217",
            "blog",
            "1602192588844",
            "1602192624796",
            "303300",
            "vhash",
            "authentihash",
            "ssdeep",
            "file type",
            "win32 exe",
            "magic pe32",
            "ms windows",
            "intel",
            "trid windows",
            "control panel",
            "file version",
            "copyright",
            "product",
            "description",
            "original name",
            "internal name",
            "rticon neutral",
            "chi2",
            "contained",
            "details module",
            "version id",
            "typelib id",
            "header target",
            "machine intel",
            "utc entry",
            "point",
            "count blacklist",
            "tag tag",
            "dot net",
            "assembly common",
            "clr version",
            "assembly name",
            "address",
            "assembly",
            "rva entry",
            "streams size",
            "entropy chi2",
            "guid",
            "applenoc",
            "showing",
            "record value",
            "scan endpoints",
            "all search",
            "as20940",
            "as16625 akamai",
            "status",
            "cname",
            "china",
            "as136907 huawei",
            "nanjing",
            "as2914 ntt",
            "america",
            "as7843 charter",
            "as6461 zayo",
            "domain",
            "p155-fmfmobile.icloud.com",
            "t-mobile",
            "metro t-mobile",
            "metro",
            "metroby",
            "social engineering",
            "happywifehappylife",
            "bot",
            "darknet service",
            "tsara brashears",
            "jeffrey reimer",
            "pixelrz",
            "yandex",
            "cp",
            "cyber",
            "red team",
            "framing",
            "qwest",
            "cybercrime",
            "cyber threat",
            "sha256",
            "runtime process",
            "sha1",
            "size",
            "windows nt",
            "indicator",
            "svg scalable",
            "accept",
            "unis",
            "buttons",
            "overwrite",
            "format",
            "spyware",
            "heodo",
            "fri nov",
            "installcore",
            "installpack",
            "win64",
            "fakealert",
            "dropper",
            "fakeinstaller",
            "spyrixkeylogger",
            "bitminer",
            "loadmoney",
            "dapato",
            "networm",
            "mediaget",
            "softonic",
            "trojan",
            "encpk",
            "qbot",
            "predator",
            "kraddare",
            "iobit",
            "dllinject",
            "psexec",
            "occamy",
            "brontok",
            "zpevdo",
            "startpage",
            "keygen",
            "fareit",
            "secrisk",
            "unruy",
            "floxif",
            "adload",
            "et cins",
            "active threat",
            "reputation ip",
            "threats et",
            "cins active",
            "poor reputation",
            "ip tcp",
            "privacy admin",
            "privacy tech",
            "com laude",
            "redacted for",
            "server",
            "priority",
            "email",
            "organization",
            "city",
            "cnapple public",
            "server rsa",
            "stcalifornia",
            "cnapple ist",
            "identity search",
            "group",
            "issuer criteria",
            "type",
            "ilike search",
            "id logged",
            "valid",
            "no no",
            "no na",
            "ip security",
            "apple",
            "limited",
            "ca id",
            "lsalford",
            "ocomodo ca",
            "code signing",
            "mozilla",
            "android",
            "memory checks",
            "dotnet_encrypted",
            "multi family rat detection",
            "malware_win_zgrat"
          ],
          "references": [
            "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
            "p155-fmfmobile.icloud.com",
            "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com'  monitoring targeted apple device\u2193",
            "developer.huawei.com",
            "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
            "http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
            "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
            "fmfmobile.fe.apple-dns.net",
            "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
            "http://notredamewormhoutnet.appleid.com/",
            "news-publisher.pictures",
            "applestore.net",
            "airinthemorning.net",
            "http://certs.apple.com/appleistca2g1_bc.cer",
            "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
            "https://dc-mx.d3525d602ca2.pixelrz.com",
            "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
            "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
            "http://pixelrz.com/lists/keywords/tsara-brashears-dead    (unconfirmed death)",
            "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/    (unconfirmed crime)",
            "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/   (confirmed transactional agreement)",
            "http://pixelrz.com/lists/suggestions/rs485-arduino/",
            "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/  ( badgering. libel)",
            "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer  (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
            "http://hidden-camera-public-nudity.tubesporno.com  (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
            "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
            "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
            "Resource: https://crt.sh/?q=privaterelay.appleid.com",
            "\u2193Command and Control \u2193",
            "CNC IPv4:  107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
            "CNC Hostname:  urlspirit.spiritsoft.cn",
            "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022  52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
            "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
            "Resource: https://urlscan.io/domain/privaterelay.appleid.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "Systweak",
              "display_name": "Systweak",
              "target": null
            },
            {
              "id": "Swrort",
              "display_name": "Swrort",
              "target": null
            },
            {
              "id": "Tinba",
              "display_name": "Tinba",
              "target": null
            },
            {
              "id": "XRat",
              "display_name": "XRat",
              "target": null
            },
            {
              "id": "Zbot",
              "display_name": "Zbot",
              "target": null
            },
            {
              "id": "Zeus",
              "display_name": "Zeus",
              "target": null
            },
            {
              "id": "Tiggre",
              "display_name": "Tiggre",
              "target": null
            },
            {
              "id": "FusionCore",
              "display_name": "FusionCore",
              "target": null
            },
            {
              "id": "Redline",
              "display_name": "Redline",
              "target": null
            },
            {
              "id": "Virus:DOS/Nanjing",
              "display_name": "Virus:DOS/Nanjing",
              "target": "/malware/Virus:DOS/Nanjing"
            },
            {
              "id": "nircmd",
              "display_name": "nircmd",
              "target": null
            },
            {
              "id": "noname057",
              "display_name": "noname057",
              "target": null
            },
            {
              "id": "BlackNET",
              "display_name": "BlackNET",
              "target": null
            },
            {
              "id": "SuppoBox",
              "display_name": "SuppoBox",
              "target": null
            },
            {
              "id": "Softcnapp",
              "display_name": "Softcnapp",
              "target": null
            },
            {
              "id": "Union",
              "display_name": "Union",
              "target": null
            },
            {
              "id": "Bambernek",
              "display_name": "Bambernek",
              "target": null
            },
            {
              "id": "Kraddare",
              "display_name": "Kraddare",
              "target": null
            },
            {
              "id": "Networm",
              "display_name": "Networm",
              "target": null
            },
            {
              "id": "trojan.agensla/msil",
              "display_name": "trojan.agensla/msil",
              "target": null
            },
            {
              "id": "Win:ZGRAT",
              "display_name": "Win:ZGRAT",
              "target": null
            },
            {
              "id": "Wacatac.",
              "display_name": "Wacatac.",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1016",
              "name": "System Network Configuration Discovery",
              "display_name": "T1016 - System Network Configuration Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "656a971ab44409ecb7018428",
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1220,
            "FileHash-SHA1": 613,
            "FileHash-SHA256": 5010,
            "URL": 13617,
            "hostname": 3699,
            "domain": 2783,
            "email": 11,
            "CVE": 23,
            "CIDR": 2
          },
          "indicator_count": 26978,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "41 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69e4e7c6ddf646eb4e645bd5",
          "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]]  [clone by scoreblue]",
          "description": "",
          "modified": "2026-04-19T14:33:42.400000",
          "created": "2026-04-19T14:33:42.400000",
          "tags": [
            "ssl certificate",
            "whois record",
            "historical ssl",
            "resolutions",
            "referrer",
            "communicating",
            "siblings",
            "file",
            "hell",
            "lenovo tablet",
            "name servers",
            "as714 apple",
            "united",
            "creation date",
            "search",
            "servers",
            "date",
            "moved",
            "certificate",
            "passive dns",
            "body",
            "historical",
            "collections",
            "contacted",
            "strange",
            "no data",
            "tag count",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "samples",
            "detection list",
            "blacklist",
            "blacklist http",
            "cisco umbrella",
            "site",
            "safe site",
            "alexa top",
            "malicious site",
            "malware site",
            "phishing site",
            "million",
            "malware",
            "http attacker",
            "ip address",
            "algorithm",
            "v3 serial",
            "number",
            "ist ca",
            "g1 validity",
            "public key",
            "info",
            "key algorithm",
            "ec oid",
            "key identifier",
            "first",
            "team alexa",
            "downloader",
            "wed apr",
            "alexa",
            "pony",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "relayrouter",
            "exit",
            "node traffic",
            "misc attack",
            "script",
            "beginstring",
            "mitre att",
            "null",
            "unknown",
            "span",
            "error",
            "class",
            "generator",
            "critical",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "refresh",
            "tools",
            "malicious url",
            "hostname",
            "hostnames",
            "phishing",
            "union",
            "team",
            "bank",
            "unsafe",
            "spammer",
            "node tcp",
            "traffic",
            "attacker",
            "tor known",
            "tor relayrouter",
            "jul jan",
            "mon sep",
            "heur",
            "artemis",
            "iframe",
            "conduit",
            "crack",
            "riskware",
            "opencandy",
            "cleaner",
            "exploit",
            "downldr",
            "presenoker",
            "wacatac",
            "agent",
            "fusioncore",
            "applicunwnt",
            "acint",
            "nircmd",
            "swrort",
            "systweak",
            "behav",
            "tiggre",
            "genkryptik",
            "filetour",
            "generic",
            "patcher",
            "driverpack",
            "xtrat",
            "softcnapp",
            "cyber threat",
            "dns server",
            "http spammer",
            "host",
            "download",
            "asyncrat",
            "cobalt strike",
            "apple",
            "urls http",
            "368600",
            "320700",
            "dc1542721039132",
            "subdomains",
            "noname057",
            "tld count",
            "urls",
            "blacklist https",
            "engineering",
            "singapore",
            "phishtank",
            "suppobox",
            "bambernek",
            "facebook",
            "zbot",
            "malicious",
            "zeus",
            "emotet",
            "ransomware",
            "nymaim",
            "redline stealer",
            "service",
            "virut",
            "kraken",
            "keybase",
            "stealer",
            "hawkeye",
            "tinba",
            "mirai",
            "nanocore",
            "bradesco",
            "cve201711882",
            "ip detections",
            "country",
            "83500",
            "1602192580242",
            "1602192586217",
            "blog",
            "1602192588844",
            "1602192624796",
            "303300",
            "vhash",
            "authentihash",
            "ssdeep",
            "file type",
            "win32 exe",
            "magic pe32",
            "ms windows",
            "intel",
            "trid windows",
            "control panel",
            "file version",
            "copyright",
            "product",
            "description",
            "original name",
            "internal name",
            "rticon neutral",
            "chi2",
            "contained",
            "details module",
            "version id",
            "typelib id",
            "header target",
            "machine intel",
            "utc entry",
            "point",
            "count blacklist",
            "tag tag",
            "dot net",
            "assembly common",
            "clr version",
            "assembly name",
            "address",
            "assembly",
            "rva entry",
            "streams size",
            "entropy chi2",
            "guid",
            "applenoc",
            "showing",
            "record value",
            "scan endpoints",
            "all search",
            "as20940",
            "as16625 akamai",
            "status",
            "cname",
            "china",
            "as136907 huawei",
            "nanjing",
            "as2914 ntt",
            "america",
            "as7843 charter",
            "as6461 zayo",
            "domain",
            "p155-fmfmobile.icloud.com",
            "t-mobile",
            "metro t-mobile",
            "metro",
            "metroby",
            "social engineering",
            "happywifehappylife",
            "bot",
            "darknet service",
            "tsara brashears",
            "jeffrey reimer",
            "pixelrz",
            "yandex",
            "cp",
            "cyber",
            "red team",
            "framing",
            "qwest",
            "cybercrime",
            "cyber threat",
            "sha256",
            "runtime process",
            "sha1",
            "size",
            "windows nt",
            "indicator",
            "svg scalable",
            "accept",
            "unis",
            "buttons",
            "overwrite",
            "format",
            "spyware",
            "heodo",
            "fri nov",
            "installcore",
            "installpack",
            "win64",
            "fakealert",
            "dropper",
            "fakeinstaller",
            "spyrixkeylogger",
            "bitminer",
            "loadmoney",
            "dapato",
            "networm",
            "mediaget",
            "softonic",
            "trojan",
            "encpk",
            "qbot",
            "predator",
            "kraddare",
            "iobit",
            "dllinject",
            "psexec",
            "occamy",
            "brontok",
            "zpevdo",
            "startpage",
            "keygen",
            "fareit",
            "secrisk",
            "unruy",
            "floxif",
            "adload",
            "et cins",
            "active threat",
            "reputation ip",
            "threats et",
            "cins active",
            "poor reputation",
            "ip tcp",
            "privacy admin",
            "privacy tech",
            "com laude",
            "redacted for",
            "server",
            "priority",
            "email",
            "organization",
            "city",
            "cnapple public",
            "server rsa",
            "stcalifornia",
            "cnapple ist",
            "identity search",
            "group",
            "issuer criteria",
            "type",
            "ilike search",
            "id logged",
            "valid",
            "no no",
            "no na",
            "ip security",
            "apple",
            "limited",
            "ca id",
            "lsalford",
            "ocomodo ca",
            "code signing",
            "mozilla",
            "android",
            "memory checks",
            "dotnet_encrypted",
            "multi family rat detection",
            "malware_win_zgrat"
          ],
          "references": [
            "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
            "p155-fmfmobile.icloud.com",
            "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com'  monitoring targeted apple device\u2193",
            "developer.huawei.com",
            "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
            "http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
            "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
            "fmfmobile.fe.apple-dns.net",
            "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
            "http://notredamewormhoutnet.appleid.com/",
            "news-publisher.pictures",
            "applestore.net",
            "airinthemorning.net",
            "http://certs.apple.com/appleistca2g1_bc.cer",
            "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
            "https://dc-mx.d3525d602ca2.pixelrz.com",
            "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
            "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
            "http://pixelrz.com/lists/keywords/tsara-brashears-dead    (unconfirmed death)",
            "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/    (unconfirmed crime)",
            "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/   (confirmed transactional agreement)",
            "http://pixelrz.com/lists/suggestions/rs485-arduino/",
            "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/  ( badgering. libel)",
            "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer  (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
            "http://hidden-camera-public-nudity.tubesporno.com  (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
            "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
            "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
            "Resource: https://crt.sh/?q=privaterelay.appleid.com",
            "\u2193Command and Control \u2193",
            "CNC IPv4:  107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
            "CNC Hostname:  urlspirit.spiritsoft.cn",
            "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022  52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
            "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
            "Resource: https://urlscan.io/domain/privaterelay.appleid.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "Systweak",
              "display_name": "Systweak",
              "target": null
            },
            {
              "id": "Swrort",
              "display_name": "Swrort",
              "target": null
            },
            {
              "id": "Tinba",
              "display_name": "Tinba",
              "target": null
            },
            {
              "id": "XRat",
              "display_name": "XRat",
              "target": null
            },
            {
              "id": "Zbot",
              "display_name": "Zbot",
              "target": null
            },
            {
              "id": "Zeus",
              "display_name": "Zeus",
              "target": null
            },
            {
              "id": "Tiggre",
              "display_name": "Tiggre",
              "target": null
            },
            {
              "id": "FusionCore",
              "display_name": "FusionCore",
              "target": null
            },
            {
              "id": "Redline",
              "display_name": "Redline",
              "target": null
            },
            {
              "id": "Virus:DOS/Nanjing",
              "display_name": "Virus:DOS/Nanjing",
              "target": "/malware/Virus:DOS/Nanjing"
            },
            {
              "id": "nircmd",
              "display_name": "nircmd",
              "target": null
            },
            {
              "id": "noname057",
              "display_name": "noname057",
              "target": null
            },
            {
              "id": "BlackNET",
              "display_name": "BlackNET",
              "target": null
            },
            {
              "id": "SuppoBox",
              "display_name": "SuppoBox",
              "target": null
            },
            {
              "id": "Softcnapp",
              "display_name": "Softcnapp",
              "target": null
            },
            {
              "id": "Union",
              "display_name": "Union",
              "target": null
            },
            {
              "id": "Bambernek",
              "display_name": "Bambernek",
              "target": null
            },
            {
              "id": "Kraddare",
              "display_name": "Kraddare",
              "target": null
            },
            {
              "id": "Networm",
              "display_name": "Networm",
              "target": null
            },
            {
              "id": "trojan.agensla/msil",
              "display_name": "trojan.agensla/msil",
              "target": null
            },
            {
              "id": "Win:ZGRAT",
              "display_name": "Win:ZGRAT",
              "target": null
            },
            {
              "id": "Wacatac.",
              "display_name": "Wacatac.",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1016",
              "name": "System Network Configuration Discovery",
              "display_name": "T1016 - System Network Configuration Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "656a971ab44409ecb7018428",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1220,
            "FileHash-SHA1": 613,
            "FileHash-SHA256": 5010,
            "URL": 13617,
            "hostname": 3699,
            "domain": 2783,
            "email": 11,
            "CVE": 23,
            "CIDR": 2
          },
          "indicator_count": 26978,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "41 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69ba1037c60cb420bf66b46c",
          "name": "docaccess",
          "description": "",
          "modified": "2026-04-18T05:15:12.381000",
          "created": "2026-03-18T02:38:47.338000",
          "tags": [
            "html document",
            "unicode text",
            "utf8 text",
            "crlf",
            "lf line"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 309,
            "FileHash-SHA1": 288,
            "FileHash-SHA256": 545,
            "URL": 117,
            "domain": 108,
            "email": 7,
            "hostname": 44,
            "CVE": 1
          },
          "indicator_count": 1419,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "43 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69e1cc70fcbd3f613502e1f7",
          "name": "order  clone by aclause21 Public",
          "description": "",
          "modified": "2026-04-17T09:28:38.049000",
          "created": "2026-04-17T06:00:16.867000",
          "tags": [
            "access ta0001",
            "defense evasion",
            "access ta0006",
            "command",
            "control ta0011",
            "impact ta0040",
            "catalog tree",
            "ob0005 defense",
            "evasion ob0006",
            "impact ob0008",
            "hashes cape",
            "sandbox",
            "docguard",
            "yomi hunter",
            "zenbox",
            "ip traffic",
            "pattern domains",
            "memory pattern",
            "urls https",
            "adversaries",
            "mitre att",
            "t1189 found",
            "clickable urls",
            "pdf execution",
            "t1036",
            "creates",
            "hide artifacts",
            "exploitation",
            "e1564 hidden",
            "files",
            "discovery e1082",
            "e1203 data",
            "vhash",
            "ssdeep",
            "file type",
            "pdf document",
            "magic pdf",
            "trid adobe",
            "format",
            "file size",
            "united",
            "as32934",
            "passive dns",
            "unknown",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "urls",
            "status",
            "search",
            "showing",
            "server error",
            "certificate",
            "creation date",
            "high assurance",
            "server ca",
            "date",
            "body",
            "win32",
            "ransom",
            "entries",
            "icmp traffic",
            "packing t1045",
            "t1045",
            "pdb path",
            "pe resource",
            "show",
            "malware",
            "copy",
            "push",
            "write",
            "aaaa",
            "nxdomain",
            "united kingdom",
            "thailand",
            "vietnam",
            "as45430",
            "honduras",
            "indonesia",
            "mexico",
            "slovakia",
            "dynamicloader",
            "yara rule",
            "high",
            "ekyxe",
            "xe e",
            "eofae",
            "ee edcje4j",
            "tofsee",
            "windows",
            "medium",
            "stream",
            "grum",
            "as15169 google",
            "pulses",
            "record value",
            "error",
            "cname",
            "name servers",
            "ireland",
            "next",
            "federation asn",
            "as49505",
            "labs pulses",
            "trojan",
            "trojandropper",
            "related pulses",
            "file samples",
            "files matching",
            "date hash",
            "copyright",
            "all search",
            "reverse dns",
            "location united",
            "emails info",
            "expiration date",
            "as51167 contabo",
            "germany unknown",
            "a nxdomain",
            "as40021 contabo",
            "encrypt",
            "url http",
            "http",
            "ip address",
            "related nids",
            "files location",
            "ddos",
            "activity",
            "checkin",
            "win64",
            "mirai",
            "hosting",
            "files ip",
            "address",
            "czechia unknown",
            "as174 cogent",
            "asnone germany",
            "as15598",
            "as16625 akamai",
            "asnone united",
            "as20940",
            "as35994 akamai",
            "as12337 noris",
            "pulse submit",
            "url analysis",
            "backdoor",
            "gmt cache",
            "sameorigin",
            "443 ma2592000",
            "suspicious",
            "virtool",
            "emails",
            "domain name",
            "code",
            "brazil",
            "poland",
            "domain",
            "msie",
            "windows nt",
            "tcp syn",
            "resolverror",
            "exploit",
            "externalport",
            "internalport",
            "http headers",
            "home network",
            "demonbot",
            "andariel",
            "yara detections",
            "malware traffic",
            "nids",
            "dns query",
            "google safe",
            "browsing",
            "whois",
            "virustotal",
            "mtb apr",
            "asnone related",
            "open",
            "hash avast",
            "avg clamav",
            "msdefender apr",
            "as8075",
            "content type",
            "access",
            "cp bus",
            "cur cono",
            "fin ivdo",
            "onl our",
            "phy samo",
            "overview ip",
            "flag united",
            "hostname",
            "files domain",
            "as8068",
            "trojan features",
            "rsa tls",
            "issuing ca",
            "mirai variant",
            "useragent",
            "inbound",
            "realtek sdk",
            "miniigd upnp",
            "soap command",
            "activity mirai",
            "helloworld",
            "users",
            "alerts",
            "anomalous file",
            "recycle bin",
            "filehash",
            "av detections",
            "memcommit",
            "read c",
            "memreserve",
            "for privacy",
            "china unknown",
            "ag alberto",
            "pedraz",
            "holidaycheck ag",
            "project pi",
            "immobilien ag",
            "puma se",
            "kurt walther",
            "ag ingo",
            "kraupa",
            "timo salzsieder",
            "record type",
            "ttl value",
            "msms57295540",
            "subdomains",
            "ireland unknown",
            "analyzer paste",
            "iocs",
            "samples",
            "regsetvalueexa",
            "default",
            "regdword",
            "module load",
            "t1129",
            "http request",
            "process32nextw",
            "regbinary",
            "oxypumper",
            "tools",
            "dock",
            "april",
            "persistence",
            "execution",
            "download",
            "as62597 nsone",
            "echo request",
            "sweep",
            "payload hello",
            "world",
            "total",
            "please",
            "xport",
            "main",
            "look",
            "install",
            "servers",
            "found",
            "cnapple public",
            "accept",
            "chrome",
            "moved",
            "ssl certificate",
            "write c",
            "installcore",
            "june",
            "delphi",
            "as47846",
            "cookie",
            "as32787 akamai",
            "as714 apple",
            "m1",
            "onelouder",
            "brian sabey",
            "denver colorado",
            "fakedout threat",
            "gmt content",
            "x cache",
            "div div",
            "as8972 host",
            "france unknown",
            "registrar",
            "otx scoreblue",
            "address domain",
            "as24940 hetzner",
            "as44273 host",
            "asn as15598",
            "trojanspy",
            "mail spammer",
            "germany mail",
            "spammer",
            "hichina",
            "data redacted",
            "a domains",
            "wow64",
            "slcc2",
            "media center",
            "port",
            "powershell",
            "urls http",
            "tptjsw",
            "virus",
            "ids detections",
            "germany",
            "as8560",
            "austria",
            "as1921",
            "as14061",
            "whitelisted",
            "as16276",
            "script urls",
            "as16552 tiggee",
            "as9009 m247",
            "meta",
            "as29789",
            "detected m1",
            "mtb aug",
            "server",
            "as397241",
            "cryp",
            "hostmaster",
            "networks",
            "as19024",
            "gmt setcookie",
            "delete",
            "russia as49505",
            "sinkhole cookie",
            "value snkz",
            "pe32",
            "possible",
            "susp",
            "lnmp",
            "lnmp a",
            "licess",
            "shell",
            "as63949 linode",
            "as133618",
            "as21342",
            "cve201717215",
            "huawei remote",
            "huawei hg532",
            "malware worm",
            "gafgyt",
            "exploit none",
            "binbusybox",
            "delete c",
            "odigicert inc",
            "stwashington",
            "lredmond",
            "rsa ca",
            "cape",
            "nondns",
            "denver",
            "redacted for",
            "method status",
            "url hostname",
            "ip country",
            "type get",
            "date tue",
            "gmt contenttype",
            "connection",
            "cachecontrol",
            "expires thu",
            "gmt vary",
            "poland unknown",
            "title",
            "script domains",
            "updated date",
            "serce internetu",
            "cnc beacon",
            "javascript",
            "wsasend",
            "post",
            "delete shadows",
            "all quiet",
            "t1047",
            "instrumentation",
            "rpcs",
            "ms windows",
            "asnone dns",
            "http host",
            "ip check",
            "sha256",
            "bits",
            "adware malware",
            "etpro malware",
            "bios",
            "guard",
            "tulach",
            "spectrum",
            "cyber folks",
            "tsara brashears",
            ".pl",
            "contacted",
            "kryptikxp",
            "apple",
            "ios",
            "android",
            "sabey",
            "charter communications",
            "denvecolorado",
            "quantum fiber",
            "air force",
            "swipper",
            "masquerade",
            "hitmen",
            "mitm",
            "whitesky",
            "cyber warfare",
            "porn",
            "pornhub.software"
          ],
          "references": [
            "DISTINCTIO8.pdf",
            "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
            "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
            "Tofsee: 'google.com' |  https://www.gov50.icu |",
            "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
            "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
            "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
            "hubt.pornhub.com | www.pornhub.com | pornative.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ||  pin.it || https://pin.it/",
            "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
            "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256  fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
            "IDS Detections: WGET Command Specifying Output in HTTP Headers",
            "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
            "Yara Detections: is__elf ,  DemonBot",
            "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
            "FileHash - SHA256  f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
            "IDS Detections: Andariel Backdoor Activity (Checkin)",
            "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
            "DDoS:Linux/Gafgyt : FileHash - SHA256  358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
            "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
            "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
            "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
            "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
            "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
            "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
            "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
            "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
            "https://tulach.cc/ | tulach.cc |",
            "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
            "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
            "18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
            "www.pornhubselect.com | pornhub.software"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Chile",
            "Morocco",
            "Taiwan",
            "Guatemala",
            "United Kingdom of Great Britain and Northern Ireland",
            "Ireland",
            "Kenya",
            "Peru",
            "Singapore",
            "Mexico",
            "Brazil",
            "Slovakia",
            "Spain",
            "Australia",
            "Belgium",
            "Germany",
            "Hungary",
            "Netherlands",
            "Russian Federation",
            "Japan",
            "Poland"
          ],
          "malware_families": [
            {
              "id": "Ransom",
              "display_name": "Ransom",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "TEL:CreateScheduledTask",
              "display_name": "TEL:CreateScheduledTask",
              "target": null
            },
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Unix.Trojan.Mirai-6981169-0",
              "display_name": "Unix.Trojan.Mirai-6981169-0",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Tofsee",
              "display_name": "Backdoor:Win32/Tofsee",
              "target": "/malware/Backdoor:Win32/Tofsee"
            },
            {
              "id": "Ransom:Win32/Haperlock",
              "display_name": "Ransom:Win32/Haperlock",
              "target": "/malware/Ransom:Win32/Haperlock"
            },
            {
              "id": "Trojan:Win32/Neurevt",
              "display_name": "Trojan:Win32/Neurevt",
              "target": "/malware/Trojan:Win32/Neurevt"
            },
            {
              "id": "DDoS:Linux/Gafgyt.YA!MTB",
              "display_name": "DDoS:Linux/Gafgyt.YA!MTB",
              "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
            },
            {
              "id": "CVE-2017-17215",
              "display_name": "CVE-2017-17215",
              "target": null
            },
            {
              "id": "CVE-2023-27350",
              "display_name": "CVE-2023-27350",
              "target": null
            },
            {
              "id": "CVE-2014-8361",
              "display_name": "CVE-2014-8361",
              "target": null
            },
            {
              "id": "Trojan:Win32/Zombie.A",
              "display_name": "Trojan:Win32/Zombie.A",
              "target": "/malware/Trojan:Win32/Zombie.A"
            },
            {
              "id": "NIDS",
              "display_name": "NIDS",
              "target": null
            },
            {
              "id": "M1",
              "display_name": "M1",
              "target": null
            },
            {
              "id": "OneLouder",
              "display_name": "OneLouder",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Win.Trojan.Sarwent-10012602-0",
              "display_name": "Win.Trojan.Sarwent-10012602-0",
              "target": null
            },
            {
              "id": "Virus:Win32/Sivis.A",
              "display_name": "Virus:Win32/Sivis.A",
              "target": "/malware/Virus:Win32/Sivis.A"
            },
            {
              "id": "Win.Trojan.Installcore-1177",
              "display_name": "Win.Trojan.Installcore-1177",
              "target": null
            },
            {
              "id": "Win.Malware.Oxypumper-6900435-0",
              "display_name": "Win.Malware.Oxypumper-6900435-0",
              "target": null
            },
            {
              "id": "Win.Malware.Qshell-9875653-0",
              "display_name": "Win.Malware.Qshell-9875653-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1203",
              "name": "Exploitation for Client Execution",
              "display_name": "T1203 - Exploitation for Client Execution"
            },
            {
              "id": "T1485",
              "name": "Data Destruction",
              "display_name": "T1485 - Data Destruction"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1089",
              "name": "Disabling Security Tools",
              "display_name": "T1089 - Disabling Security Tools"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1023",
              "name": "Shortcut Modification",
              "display_name": "T1023 - Shortcut Modification"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1428",
              "name": "Exploit Enterprise Resources",
              "display_name": "T1428 - Exploit Enterprise Resources"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1133",
              "name": "External Remote Services",
              "display_name": "T1133 - External Remote Services"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "678f0dbdbc59dd2ea5656dcf",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 7589,
            "FileHash-SHA1": 3982,
            "FileHash-SHA256": 8280,
            "URL": 442,
            "domain": 2416,
            "hostname": 2155,
            "email": 37,
            "CVE": 4,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 24911,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 65,
          "modified_text": "44 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69e1cc6fd3c4022e08db781d",
          "name": "order  clone by aclause21 Public",
          "description": "",
          "modified": "2026-04-17T06:51:33.372000",
          "created": "2026-04-17T06:00:15.760000",
          "tags": [
            "access ta0001",
            "defense evasion",
            "access ta0006",
            "command",
            "control ta0011",
            "impact ta0040",
            "catalog tree",
            "ob0005 defense",
            "evasion ob0006",
            "impact ob0008",
            "hashes cape",
            "sandbox",
            "docguard",
            "yomi hunter",
            "zenbox",
            "ip traffic",
            "pattern domains",
            "memory pattern",
            "urls https",
            "adversaries",
            "mitre att",
            "t1189 found",
            "clickable urls",
            "pdf execution",
            "t1036",
            "creates",
            "hide artifacts",
            "exploitation",
            "e1564 hidden",
            "files",
            "discovery e1082",
            "e1203 data",
            "vhash",
            "ssdeep",
            "file type",
            "pdf document",
            "magic pdf",
            "trid adobe",
            "format",
            "file size",
            "united",
            "as32934",
            "passive dns",
            "unknown",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "urls",
            "status",
            "search",
            "showing",
            "server error",
            "certificate",
            "creation date",
            "high assurance",
            "server ca",
            "date",
            "body",
            "win32",
            "ransom",
            "entries",
            "icmp traffic",
            "packing t1045",
            "t1045",
            "pdb path",
            "pe resource",
            "show",
            "malware",
            "copy",
            "push",
            "write",
            "aaaa",
            "nxdomain",
            "united kingdom",
            "thailand",
            "vietnam",
            "as45430",
            "honduras",
            "indonesia",
            "mexico",
            "slovakia",
            "dynamicloader",
            "yara rule",
            "high",
            "ekyxe",
            "xe e",
            "eofae",
            "ee edcje4j",
            "tofsee",
            "windows",
            "medium",
            "stream",
            "grum",
            "as15169 google",
            "pulses",
            "record value",
            "error",
            "cname",
            "name servers",
            "ireland",
            "next",
            "federation asn",
            "as49505",
            "labs pulses",
            "trojan",
            "trojandropper",
            "related pulses",
            "file samples",
            "files matching",
            "date hash",
            "copyright",
            "all search",
            "reverse dns",
            "location united",
            "emails info",
            "expiration date",
            "as51167 contabo",
            "germany unknown",
            "a nxdomain",
            "as40021 contabo",
            "encrypt",
            "url http",
            "http",
            "ip address",
            "related nids",
            "files location",
            "ddos",
            "activity",
            "checkin",
            "win64",
            "mirai",
            "hosting",
            "files ip",
            "address",
            "czechia unknown",
            "as174 cogent",
            "asnone germany",
            "as15598",
            "as16625 akamai",
            "asnone united",
            "as20940",
            "as35994 akamai",
            "as12337 noris",
            "pulse submit",
            "url analysis",
            "backdoor",
            "gmt cache",
            "sameorigin",
            "443 ma2592000",
            "suspicious",
            "virtool",
            "emails",
            "domain name",
            "code",
            "brazil",
            "poland",
            "domain",
            "msie",
            "windows nt",
            "tcp syn",
            "resolverror",
            "exploit",
            "externalport",
            "internalport",
            "http headers",
            "home network",
            "demonbot",
            "andariel",
            "yara detections",
            "malware traffic",
            "nids",
            "dns query",
            "google safe",
            "browsing",
            "whois",
            "virustotal",
            "mtb apr",
            "asnone related",
            "open",
            "hash avast",
            "avg clamav",
            "msdefender apr",
            "as8075",
            "content type",
            "access",
            "cp bus",
            "cur cono",
            "fin ivdo",
            "onl our",
            "phy samo",
            "overview ip",
            "flag united",
            "hostname",
            "files domain",
            "as8068",
            "trojan features",
            "rsa tls",
            "issuing ca",
            "mirai variant",
            "useragent",
            "inbound",
            "realtek sdk",
            "miniigd upnp",
            "soap command",
            "activity mirai",
            "helloworld",
            "users",
            "alerts",
            "anomalous file",
            "recycle bin",
            "filehash",
            "av detections",
            "memcommit",
            "read c",
            "memreserve",
            "for privacy",
            "china unknown",
            "ag alberto",
            "pedraz",
            "holidaycheck ag",
            "project pi",
            "immobilien ag",
            "puma se",
            "kurt walther",
            "ag ingo",
            "kraupa",
            "timo salzsieder",
            "record type",
            "ttl value",
            "msms57295540",
            "subdomains",
            "ireland unknown",
            "analyzer paste",
            "iocs",
            "samples",
            "regsetvalueexa",
            "default",
            "regdword",
            "module load",
            "t1129",
            "http request",
            "process32nextw",
            "regbinary",
            "oxypumper",
            "tools",
            "dock",
            "april",
            "persistence",
            "execution",
            "download",
            "as62597 nsone",
            "echo request",
            "sweep",
            "payload hello",
            "world",
            "total",
            "please",
            "xport",
            "main",
            "look",
            "install",
            "servers",
            "found",
            "cnapple public",
            "accept",
            "chrome",
            "moved",
            "ssl certificate",
            "write c",
            "installcore",
            "june",
            "delphi",
            "as47846",
            "cookie",
            "as32787 akamai",
            "as714 apple",
            "m1",
            "onelouder",
            "brian sabey",
            "denver colorado",
            "fakedout threat",
            "gmt content",
            "x cache",
            "div div",
            "as8972 host",
            "france unknown",
            "registrar",
            "otx scoreblue",
            "address domain",
            "as24940 hetzner",
            "as44273 host",
            "asn as15598",
            "trojanspy",
            "mail spammer",
            "germany mail",
            "spammer",
            "hichina",
            "data redacted",
            "a domains",
            "wow64",
            "slcc2",
            "media center",
            "port",
            "powershell",
            "urls http",
            "tptjsw",
            "virus",
            "ids detections",
            "germany",
            "as8560",
            "austria",
            "as1921",
            "as14061",
            "whitelisted",
            "as16276",
            "script urls",
            "as16552 tiggee",
            "as9009 m247",
            "meta",
            "as29789",
            "detected m1",
            "mtb aug",
            "server",
            "as397241",
            "cryp",
            "hostmaster",
            "networks",
            "as19024",
            "gmt setcookie",
            "delete",
            "russia as49505",
            "sinkhole cookie",
            "value snkz",
            "pe32",
            "possible",
            "susp",
            "lnmp",
            "lnmp a",
            "licess",
            "shell",
            "as63949 linode",
            "as133618",
            "as21342",
            "cve201717215",
            "huawei remote",
            "huawei hg532",
            "malware worm",
            "gafgyt",
            "exploit none",
            "binbusybox",
            "delete c",
            "odigicert inc",
            "stwashington",
            "lredmond",
            "rsa ca",
            "cape",
            "nondns",
            "denver",
            "redacted for",
            "method status",
            "url hostname",
            "ip country",
            "type get",
            "date tue",
            "gmt contenttype",
            "connection",
            "cachecontrol",
            "expires thu",
            "gmt vary",
            "poland unknown",
            "title",
            "script domains",
            "updated date",
            "serce internetu",
            "cnc beacon",
            "javascript",
            "wsasend",
            "post",
            "delete shadows",
            "all quiet",
            "t1047",
            "instrumentation",
            "rpcs",
            "ms windows",
            "asnone dns",
            "http host",
            "ip check",
            "sha256",
            "bits",
            "adware malware",
            "etpro malware",
            "bios",
            "guard",
            "tulach",
            "spectrum",
            "cyber folks",
            "tsara brashears",
            ".pl",
            "contacted",
            "kryptikxp",
            "apple",
            "ios",
            "android",
            "sabey",
            "charter communications",
            "denvecolorado",
            "quantum fiber",
            "air force",
            "swipper",
            "masquerade",
            "hitmen",
            "mitm",
            "whitesky",
            "cyber warfare",
            "porn",
            "pornhub.software"
          ],
          "references": [
            "DISTINCTIO8.pdf",
            "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
            "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
            "Tofsee: 'google.com' |  https://www.gov50.icu |",
            "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
            "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
            "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
            "hubt.pornhub.com | www.pornhub.com | pornative.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ||  pin.it || https://pin.it/",
            "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
            "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256  fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
            "IDS Detections: WGET Command Specifying Output in HTTP Headers",
            "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
            "Yara Detections: is__elf ,  DemonBot",
            "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
            "FileHash - SHA256  f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
            "IDS Detections: Andariel Backdoor Activity (Checkin)",
            "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
            "DDoS:Linux/Gafgyt : FileHash - SHA256  358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
            "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
            "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
            "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
            "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
            "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
            "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
            "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
            "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
            "https://tulach.cc/ | tulach.cc |",
            "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
            "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
            "18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
            "www.pornhubselect.com | pornhub.software"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Chile",
            "Morocco",
            "Taiwan",
            "Guatemala",
            "United Kingdom of Great Britain and Northern Ireland",
            "Ireland",
            "Kenya",
            "Peru",
            "Singapore",
            "Mexico",
            "Brazil",
            "Slovakia",
            "Spain",
            "Australia",
            "Belgium",
            "Germany",
            "Hungary",
            "Netherlands",
            "Russian Federation",
            "Japan",
            "Poland"
          ],
          "malware_families": [
            {
              "id": "Ransom",
              "display_name": "Ransom",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "TEL:CreateScheduledTask",
              "display_name": "TEL:CreateScheduledTask",
              "target": null
            },
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Unix.Trojan.Mirai-6981169-0",
              "display_name": "Unix.Trojan.Mirai-6981169-0",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Tofsee",
              "display_name": "Backdoor:Win32/Tofsee",
              "target": "/malware/Backdoor:Win32/Tofsee"
            },
            {
              "id": "Ransom:Win32/Haperlock",
              "display_name": "Ransom:Win32/Haperlock",
              "target": "/malware/Ransom:Win32/Haperlock"
            },
            {
              "id": "Trojan:Win32/Neurevt",
              "display_name": "Trojan:Win32/Neurevt",
              "target": "/malware/Trojan:Win32/Neurevt"
            },
            {
              "id": "DDoS:Linux/Gafgyt.YA!MTB",
              "display_name": "DDoS:Linux/Gafgyt.YA!MTB",
              "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
            },
            {
              "id": "CVE-2017-17215",
              "display_name": "CVE-2017-17215",
              "target": null
            },
            {
              "id": "CVE-2023-27350",
              "display_name": "CVE-2023-27350",
              "target": null
            },
            {
              "id": "CVE-2014-8361",
              "display_name": "CVE-2014-8361",
              "target": null
            },
            {
              "id": "Trojan:Win32/Zombie.A",
              "display_name": "Trojan:Win32/Zombie.A",
              "target": "/malware/Trojan:Win32/Zombie.A"
            },
            {
              "id": "NIDS",
              "display_name": "NIDS",
              "target": null
            },
            {
              "id": "M1",
              "display_name": "M1",
              "target": null
            },
            {
              "id": "OneLouder",
              "display_name": "OneLouder",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Win.Trojan.Sarwent-10012602-0",
              "display_name": "Win.Trojan.Sarwent-10012602-0",
              "target": null
            },
            {
              "id": "Virus:Win32/Sivis.A",
              "display_name": "Virus:Win32/Sivis.A",
              "target": "/malware/Virus:Win32/Sivis.A"
            },
            {
              "id": "Win.Trojan.Installcore-1177",
              "display_name": "Win.Trojan.Installcore-1177",
              "target": null
            },
            {
              "id": "Win.Malware.Oxypumper-6900435-0",
              "display_name": "Win.Malware.Oxypumper-6900435-0",
              "target": null
            },
            {
              "id": "Win.Malware.Qshell-9875653-0",
              "display_name": "Win.Malware.Qshell-9875653-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1203",
              "name": "Exploitation for Client Execution",
              "display_name": "T1203 - Exploitation for Client Execution"
            },
            {
              "id": "T1485",
              "name": "Data Destruction",
              "display_name": "T1485 - Data Destruction"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1089",
              "name": "Disabling Security Tools",
              "display_name": "T1089 - Disabling Security Tools"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1023",
              "name": "Shortcut Modification",
              "display_name": "T1023 - Shortcut Modification"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1428",
              "name": "Exploit Enterprise Resources",
              "display_name": "T1428 - Exploit Enterprise Resources"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1133",
              "name": "External Remote Services",
              "display_name": "T1133 - External Remote Services"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "678f0dbdbc59dd2ea5656dcf",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 7589,
            "FileHash-SHA1": 3982,
            "FileHash-SHA256": 8280,
            "URL": 441,
            "domain": 2416,
            "hostname": 2155,
            "email": 37,
            "CVE": 4,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 24910,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 65,
          "modified_text": "44 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a9cd444aa144401d0c4988",
          "name": "Pools Open",
          "description": "",
          "modified": "2026-04-15T19:21:28.851000",
          "created": "2026-03-05T18:36:52.014000",
          "tags": [
            "Timothy Pool",
            "Christopher Pool",
            "Pool's Closed"
          ],
          "references": [
            "Pool Closed",
            "Pool's Closed"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [
            "Media",
            "ad fraud"
          ],
          "TLP": "white",
          "cloned_from": "5fa57698ac0f6638b7b9a8ba",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 8098,
            "URL": 23428,
            "hostname": 9592,
            "domain": 4727,
            "SSLCertFingerprint": 22,
            "FileHash-MD5": 696,
            "FileHash-SHA1": 457,
            "CIDR": 78,
            "email": 3,
            "CVE": 2
          },
          "indicator_count": 47103,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "45 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b766b93c6e815e08bbd8dc",
          "name": "Cloudgate ASNONE",
          "description": "clever.",
          "modified": "2026-04-15T02:24:17.244000",
          "created": "2026-03-16T02:11:05.001000",
          "tags": [
            "status",
            "creation date",
            "passive dns",
            "expiration date",
            "name servers",
            "date",
            "united",
            "show",
            "verdict",
            "domain"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 201,
            "email": 6,
            "URL": 49,
            "hostname": 247,
            "FileHash-MD5": 18,
            "FileHash-SHA1": 45,
            "FileHash-SHA256": 633
          },
          "indicator_count": 1199,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 65,
          "modified_text": "46 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69afaca79dddf98b72dd06b1",
          "name": "kitplay + breaktime :(",
          "description": "all the kits connect. weather map pdf book health calendar the intersect of the apple product webkit aligning with edge node kits is a problem. I have reached 1 mil iocs in a month manually by phone. My ears ring, my hands burn, and my soul is as corrupt as my hollow root. Ive reported this as a whistleblower and ive reported to apple etc. I must take a break after I scan some CVEs until something is done, my lymph nodes in my neck are large and sore, though I hope I could help some. :/ stay well all. sos is because my phone doesnt work in emergency situations despite 30 devices between routers phones conputers being full factory reset. Ive lost everything. month 10.",
          "modified": "2026-04-09T21:16:02.645000",
          "created": "2026-03-10T05:31:19.353000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 268,
            "hostname": 123,
            "CVE": 11,
            "FileHash-MD5": 135,
            "FileHash-SHA1": 51,
            "FileHash-SHA256": 203,
            "email": 4,
            "URL": 48
          },
          "indicator_count": 843,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "51 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d68fffbf012630d57033b6",
          "name": "Sabey SWIPPER - Pornhub\u00bbX.Com migration to Twitter | Sabey\u2019s Daddy Data Center ",
          "description": "",
          "modified": "2026-04-08T17:27:27.851000",
          "created": "2026-04-08T17:27:27.851000",
          "tags": [
            "url https",
            "filehashsha256",
            "browse scan",
            "report spam",
            "author",
            "output",
            "tsara brashears",
            "created",
            "days ago",
            "showing",
            "trojan",
            "win32",
            "msil",
            "trojanspy",
            "virtool",
            "scan endpoints",
            "all search",
            "otx scoreblue",
            "author avatar",
            "fraud",
            "june",
            "worm",
            "search",
            "tsara type",
            "indicator role",
            "title added",
            "active related",
            "pulses url",
            "url http",
            "ipv6",
            "type indicator",
            "role title",
            "added active",
            "related pulses",
            "sort",
            "least",
            "researched",
            "f https",
            "scan",
            "iocs",
            "learn more",
            "filehashmd5",
            "hostname",
            "domain",
            "indicators show",
            "browser",
            "unsupported",
            "view",
            "continue",
            "watch tsara",
            "searchtsa",
            "brashears",
            "most relevant",
            "porn videos",
            "download",
            "google search",
            "open threat",
            "babe",
            "green",
            "daily",
            "play",
            "fullscreen",
            "tsara",
            "videos",
            "love",
            "top tsara",
            "xxx videos",
            "hardcore porn",
            "jeffrey reimer",
            "puts",
            "porn",
            "javascript",
            "body",
            "creation date",
            "record value",
            "united",
            "gmt content",
            "gmt max",
            "age900",
            "httponly x",
            "date",
            "unknown",
            "pragma",
            "levelblue",
            "exchange open",
            "threat exchange",
            "indicator",
            "safebae",
            "get involved",
            "anyone else",
            "press",
            "data reports",
            "teen students",
            "become",
            "chapter lead",
            "become a",
            "certified peer",
            "district",
            "brian sabey",
            "sabey data",
            "hallrender",
            "sabey data centers",
            "swipper",
            "mark b sabey",
            "m brian sabey",
            "2beeg",
            "thebrotherssabey",
            "urls",
            "show",
            "cloudflarenet",
            "us urlscan",
            "skip",
            "accessibility",
            "all images",
            "videos shopping",
            "forums news",
            "web more",
            "tools",
            "service",
            "malicious",
            "size",
            "recent",
            "off blur",
            "find",
            "summary",
            "securitytrails",
            "urlscan https",
            "tryporn",
            "icann whois",
            "data problem",
            "disclaimer",
            "judaporn",
            "kompoz",
            "blur filter",
            "search results",
            "xxxvideohd",
            "hacker news",
            "item",
            "url",
            "website",
            "web",
            "scanner",
            "analyze",
            "analyzer",
            "september",
            "domains",
            "sale worldwide",
            "street",
            "gate parkway",
            "stateprovince",
            "postal code",
            "route",
            "open",
            "watch",
            "links",
            "footer",
            "delete see",
            "delete c",
            "tofsee",
            "grum",
            "entries",
            "cape",
            "high",
            "total",
            "copy",
            "write",
            "malware",
            "patched",
            "next",
            "please"
          ],
          "references": [
            "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
            "thebrotherssabey.wordpress.com | https://hallrender.com/attorney/brian-sabey",
            "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm",
            "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/",
            "https://SafeBae.org |  https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
            "http://sexiezpics.com/tsara-brashears-hardcore-porn | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
            "https://urlscan.io/domain/cdn2e-videos2.yjcontentdelivery.com | http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html",
            "https://www.google.com/search?client=ms-android-tcl-rvo2b&sca_esv=677ff2260c38da6a&sca_upv=1&q=tsara%20brashears&tbm=vid&source=lnms&fbs=AEQNm0Aa4sjWe7Rqy32pFwRj0UkWd8nbOJfsBGGB5IQQO6L3J5MIFhvnvU242yFxzEEp3BfRFWcyM5BvpTgNzM3vKj4sz-C2iLdc_0v0iAkScdtYjVPIGyVlvwujMCY6xcQ3LIupWIQPyPPfztGwIqpQ9H2EXqXXY4GBGq8hpekXoFuduDqktZzSriMQxAlKPjQviXaDVnUYcgWw9ejzcyECyIGanCUinw&sa=X&biw=1128&bih=1971&dpr=2&no_sw_cr=1&zx=1724209326040&sssc=1",
            "bfxxxhindi.to | https://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "https://billpay.stcu.org/csp/ws/ALKAMI-S5M/html/PC_Remote_Role_Due_XP_Help/role1_faq_email_notifications.html  billpay.stcu.org",
            "bfxxxhindi.to  www.bfxxxhindi.to  https://www.bfxxxhindi.to   tsara brashears bfxxxhindi.to https://www.bfxxxhindi.to/trend/eaUvPMTg3NzMytY07Q/",
            "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/",
            "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/. http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
            "http://alohatube.xyz/search/tsara-brashears  http://alohatube.xyz/search/tsara-brashears/",
            "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html",
            "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medic",
            "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medical-center",
            "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html",
            "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-medical.html",
            "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html",
            "http://videolal.com/tsara-brashears-assaulted-by-jeffrey-reimer.html  http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html",
            "http://videolal.com/tsara-brashears-pueblo.html , http://videolal.com/tsara-brashears.html",
            "http://pornbitter.com/storage/tsara-brashears/  http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru",
            "http://browntubeporn.com/tsara-brashears.html  browntubeporn.com  http://pornvideoj.com/tsara-brashears.htm",
            "pornhub.com/gay/video/search?search=tsara%2Blynn%2Bbrashears%2Blesbian",
            "feestzalenvanvlaanderen.be  www.gdsl-pallemoebler.info  http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us",
            "http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us  www.tryporn.net",
            "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru  feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info",
            "http://www.tryporn.net/seach/tsara-brashears/  hicksandchicks.org redpornvideos.net   http://advocate-smyslova.ru/tsara-brashears/",
            "http://flexporn.net/tsara-brashears.html  http://onlyindianporn.net/videos/tsara-brashears/  http://pornbitter.com/storage/tsara-brashears/",
            "http://pornpx.com/trends/tsara-brashears-submission-on-august-27-via-manual/1/ http://www.potnhub.org/tsara-brashears.html",
            "http://www.bukaporn.net/trend/tsara-brashears/  http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra",
            "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
            "www.sexpornimages.com http://hicksandchicks.org/ju/tsara-brashears/  hlebo.mobi  pornpx.com  www.potnhub.org",
            "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language  http://www.music-forum.",
            "http://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/  http://redpornvideos.net/tsara-brashears.html",
            "https://wallpapers-nature.com/  https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
            "https://wallpapers-nature.com/tsara-brashears/urlscan-io   https://www.sweetheartvideo.com/tsara-brashears",
            "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net  https://www.sweetheartvideo.com/tsara-brashears/",
            "https://www.sweetheartvideo.com/tsara-brashears/ | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
            "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language | https://wallpapers-nature.com/tsara-brashears/urlscan-io",
            "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
            "https://xlxx.mobi phishing\thttps://2beeg.me   https://2beeg.net  https://www.redporn.video   https://youjizz.sex  2beeg.me xlxx.mobi ladys.one",
            "tsara-brashears-deadspin-twitter-suspended-account-help.ht  videolal.com  wallpapers-nature.com   www.sweetheartvideo.com",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/  Domain mom2fuck.mobi   https://youjizz.sex/tsara-brashears.html   https://youjizz.sex",
            "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears",
            "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer  http://pixelrz.com/lists/keywords/brashears-tsara-buzz-news",
            "http://pixelrz.com/lists/keywords/%20dr-jeffrey-reimer-dpt-funds-tsara-brashears/ https://xlxx.mobi",
            "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/  orangeporntube.net   www.tryporno.net",
            "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception  http://pixelrz.com/lists/keywords/tsara-brashears-dead/  http://orangeporntube.net/tsara-brashears.html",
            "http://www.tryporno.net/movies/tsara-brashears/  http://www.pixelrz.com/lists/keywords/tsara-brashears/",
            "https://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/  sexiezpics.com",
            "http://sexiezpics.com/tsara-brashears-hardcore-porn http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
            "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/   http://pornohata.com/mov/tsara-brashears/",
            "http://onlyindianporn2.com/videos/tsara-brashears/   onlyindianporn2.com-porn.html   aninditaannisa.blogspot.com   porno-trash.net",
            "myhotzpic.com  pornohata.com pornstarsporno.net aninditaannisa.blogspot.com/2019/02/tsara-brashears",
            "http://pornstarsporno.net/tsara-brashears.html  http://vtwctr.org/explore/inmate-tsara-brashears/",
            "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara%20-brashears-massage-nearby.html",
            "Hostname aninditaannisa.blogspot.com No Expiration\t0\t  URL aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html  billpay.stcu.org",
            "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
            "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/",
            "thebrotherssabey.wordpress.com http://www.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com",
            "http://go.sabey.com http://vpn2.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com |",
            "http://itsupport.sabey.com http://www.sabey.com | http://root.sabeydatacenters.com/ | http://server1.sabeydatacenters.com | http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com",
            "http://sabey.com/construction/ | https://tulach.cc/ | sabeydatacenters.com | https://thebrotherssabey.com | http://root.sabeydatacenters.com/ No Expiration\t0\t  URL http://server1.sabeydatacenters.com No Expiration\t0\t  URL http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com | http://staging.sabeydatacenters.com",
            "https://info.sabeydatacenters.com/webmail/404532/1590752290/6c9ed1e0b6b364689835e8c6bd51ed2198f99ee8ec7fa1924787e4e9b6382872",
            "forceusercontent.com | sabey.com | tulach.cc | http://thebrotherssabey.com/2018m.sabeydatacenters.com | https://www.vpn.sabey.com/",
            "root.sabeydatacenters.com | server1.sabeydatacenters.com | smtps.sabeydatacenters.com | smtpseguro.sabeydatacenters.com",
            "https://thebrotherssabey.com | https://thebrotherssabey.com/2015/08/24/why | staging.sabeydatacenters.com |",
            "authsmtp.sabeydatacenters.com | go.sabey.com | thebrotherssabey.com | mx5.sabeydatacenters.com | posta.sabeydatacenters.com",
            "remote.files.downloadnow-1.com | remote.sabeydatacenters.com | poczta.sabeydatacenters.com | pop.sabeydatacenters.com",
            "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/20",
            "https://thebrotherssabey.com/2015/08/24/why  | https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2017/04/17/truth",
            "https://thebrotherssabey.com/2016/01/18/ballroom | resources.sabeydatacenters.com | https://thebrotherssabey.com/feed/",
            "https://thebrotherssabey.com/comments/feed/ | mail2.sabeydatacenters.com | mails.sabeydatacenters.com | newmail.sabeydatacenters.com",
            "http://staging.sabeydatacenters.com | https://sabey.com/careers/ | https://vpn2.sabey.com | https://www.sabey.com | https://www.vpn.sabey.com |",
            "https://info.sabeydatacenters.com/emailPreference/epc/404532/EcSDdxFsTp4vgdAzwbcD5rWn7oROwp5s8Buq0L48dF0/732bdcab2311714bb73d4d507e6508d215afb4dbc511",
            "1a8fc49a4265fe146976/1523680312 |  https://thebrotherssabey.com/2018/04/22/the  |  https://thebrotherssabey.com/2019/07/08/suffering",
            "https://info.sabeydatacenters.com/listUnsubscribeHeader/u/404532/732bdcab2311714bb73d4d507e6508d215afb4dbc5111a8fc49a4265fe14697",
            "https://info.sabeydatacenters.com/r/404532/1/1523680312/open/1 | http://onlyindianporn2.com/videos/dia-sabey/?p=13",
            "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/discourse | onlyindianporn2.com",
            "https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter | https://thebrotherssabey.com/author/dbsabey/",
            "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/category/homosexuality",
            "https://thebrotherssabey.com/2018/12/05/nature-of-scripture-part-5-conclusions/ | https://thebrotherssabey.com/2019/08/01/why",
            "mypornvid.fun | porn100.tv | amp.mypornvid.fun | cdn10.mypornvid.fun | cdn11.mypornvid.fun | cdn5.mypornvid.fun | cdn8.mypornvid.fun",
            "www.anyxxxtube.net | sv2.mypornvid.fun | www.porn100.tv | www.redporn.video | https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing |",
            "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears",
            "anybunny.tv | http://anybunny.tv/search/eva-lisa | http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us",
            "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-nearby.html. |",
            "http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concent | http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge",
            "onlyindianporn.tv | sexpornimages.com | http://www.sexpornimages.com/hillary/hillary-clinton",
            "https://mypornvid.fun/videos/3/o00vnGgcVx0/dude-sex-fuck-a-deer-wapporn-video-com/fuck-deer",
            "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
            "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/ | http://videolal.com/tsara-brashears-dead-by-daylight.html",
            "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html | http://videolal.com/tsara-brashears-dead.html |",
            "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/2019/01/20/miracle/",
            "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html | tsara-brashears-deadspin-twitter-suspended-account-help.ht",
            "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2017/04/17/truth",
            "https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2016/01/18/ballroom",
            "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/category/pregnancy",
            "https://thebrotherssabey.com/feed/ | https://thebrotherssabey.com/discourse | https://thebrotherssabey.com/comments/feed/",
            "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/20 | https://thebrotherssabey.com | https://thebrotherssabey.com",
            "http://thebrotherssabey.com/2018 | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/2019/07/08/suffering",
            "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/category/homosexuality",
            "https://thebrotherssabey.com/author/thebrotherssabey/  | https://thebrotherssabey.com/author/dbsabey/",
            "http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/ | https://www.applefilmaker.com | https://www.applefilmaker.com/1odbU3D",
            "www.wwwgitlab.gitlab.git.git.gitlab.git.128-199-7-137.cprapid.com",
            "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/",
            "https://hallrender.com/attorney/brian-sabey | https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter",
            "storage.ladys.one ladys.one: | http://photos.ladys.one ladys.one: | http://porno.ladys.one ladys.one: | http://storage.ladys.one ladys.one: | http://xxx-videos.ladys.one ladys.one:",
            "http://www.xvxx.me/clips/nadia-ali-hardcore/199530/",
            "https://kompoz2.com/tv/454575/blonde-slut-sara-jay-with-big-ass-is-fucked-in-doggy-style.html",
            "http://onlyindianporn2.com/videos/vichatter-young-11//title/0.7292669771257236"
          ],
          "public": 1,
          "adversary": "Brian Sabey | Tulach | Sabey Data Centers",
          "targeted_countries": [
            "United States of America",
            "Netherlands",
            "United Kingdom of Great Britain and Northern Ireland"
          ],
          "malware_families": [
            {
              "id": "Win32/Tofsee.AX",
              "display_name": "Win32/Tofsee.AX",
              "target": null
            },
            {
              "id": "Trojan:Win32/Muldrop",
              "display_name": "Trojan:Win32/Muldrop",
              "target": "/malware/Trojan:Win32/Muldrop"
            }
          ],
          "attack_ids": [
            {
              "id": "T1125",
              "name": "Video Capture",
              "display_name": "T1125 - Video Capture"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1190",
              "name": "Exploit Public-Facing Application",
              "display_name": "T1190 - Exploit Public-Facing Application"
            },
            {
              "id": "T1472",
              "name": "Generate Fraudulent Advertising Revenue",
              "display_name": "T1472 - Generate Fraudulent Advertising Revenue"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "T1586.001",
              "name": "Social Media Accounts",
              "display_name": "T1586.001 - Social Media Accounts"
            },
            {
              "id": "T1055.013",
              "name": "Process Doppelg\u00e4nging",
              "display_name": "T1055.013 - Process Doppelg\u00e4nging"
            },
            {
              "id": "T1080",
              "name": "Taint Shared Content",
              "display_name": "T1080 - Taint Shared Content"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "69bea426487bffa5384c6f38",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 121,
            "FileHash-SHA1": 116,
            "FileHash-SHA256": 443,
            "URL": 1878,
            "domain": 312,
            "hostname": 518,
            "email": 5,
            "CIDR": 1,
            "SSLCertFingerprint": 1
          },
          "indicator_count": 3395,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 144,
          "modified_text": "52 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69acefddb438775a0be13420",
          "name": "Whistleblower Retaliation.",
          "description": "0397da2aa5e340a30ea939c5606cc9a131137d044f23ef812067e5c, as part of a series of events.",
          "modified": "2026-04-07T03:06:04.004000",
          "created": "2026-03-08T03:41:17.684000",
          "tags": [
            "key identifier",
            "v3 serial",
            "number",
            "update secure",
            "server ca",
            "validity",
            "cus stwa",
            "subject public",
            "key info",
            "key algorithm",
            "thumbprint"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1275,
            "FileHash-MD5": 143,
            "FileHash-SHA1": 149,
            "hostname": 49,
            "URL": 230,
            "domain": 278,
            "email": 4
          },
          "indicator_count": 2128,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "54 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69aa0c07ce3cd1822c02a231",
          "name": "scnr.com",
          "description": "",
          "modified": "2026-04-04T23:37:39.530000",
          "created": "2026-03-05T23:04:39.475000",
          "tags": [
            "united",
            "script urls",
            "unknown",
            "as13335",
            "as44273 host",
            "for privacy",
            "as47846",
            "germany unknown",
            "a domains",
            "redacted for",
            "date",
            "title",
            "body",
            "encrypt",
            "server",
            "registrar abuse",
            "iana id",
            "contact email",
            "dnssec",
            "domain status",
            "contact phone",
            "registrar url",
            "registrar whois"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 338,
            "URL": 159,
            "FileHash-SHA1": 77,
            "email": 8,
            "hostname": 741,
            "FileHash-SHA256": 13,
            "FileHash-MD5": 13
          },
          "indicator_count": 1349,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "56 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a9faf860d61b426ca9415c",
          "name": "aa49f4fb7b92869aca6af7b5266ea67b69c56733e542b3819c040c4dc4d9027e",
          "description": "b205b82d2b19366df50d00533bbd7234\n5b3b4934f32796e7a00ee21c7269d2a84f1a57b3\naa49f4fb7b92869aca6af7b5266ea67b69c56733e542b3819c040c4dc4d9027e\ndea8c07abb745c9055100be3a92a9fbc\n12288:Tk6fTce9KJ4cG33LBRHC+Qg0Edx4I4vkC5x:Tk63UJfutRRDI\nT14425E703FE9C0BDEE586D53B28959E18181FFA1C05E9CBCB5ABCD1453E518896EF013A\nMS Word Document \ndocument\nmsoffice\ntext\nword\ndoc\nComposite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: PC, Template: Normal.dotm, Last Saved By: PC, Revision Number: 12, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:00, Create Time/Date: Sat Jul 14 17:14:00 2018, Last Saved Time/Date: Sat Jul 14 17:26:00 2018, Number of Pages: 857, Number of Words: 82828, Number of Characters: 472121, Security: 0\nMicrosoft Word document (50.4%)   Microsoft Word document (old ver.) (31.9%)   Generic OLE2 / Multistream Compound (13.4%)   Unity binary serialized Assets (generic) (4.2%)\nDOC\n1017.00 KB (1041408",
          "modified": "2026-04-04T22:00:08.364000",
          "created": "2026-03-05T21:51:52.580000",
          "tags": [
            "united",
            "as8068",
            "aaaa",
            "as8075",
            "a domains",
            "meta",
            "passive dns",
            "creation date",
            "expiration date",
            "date",
            "accept"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 5,
            "FileHash-SHA1": 3,
            "URL": 27,
            "domain": 298,
            "email": 6,
            "hostname": 85,
            "FileHash-SHA256": 2
          },
          "indicator_count": 426,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "56 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a8ae60ef19e1d1f3c88461",
          "name": "3.32.100.98",
          "description": "interesting certificate string researchers take note : Subject: CN=*.execute-api.us-gov-west-1.amazonaws.com\nSubject Public Key Info:",
          "modified": "2026-04-03T22:17:43.738000",
          "created": "2026-03-04T22:12:48.990000",
          "tags": [
            "united",
            "as8987 amazon",
            "passive dns",
            "unknown",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "reverse dns",
            "location united"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 45,
            "domain": 623,
            "email": 16,
            "URL": 48,
            "CVE": 1
          },
          "indicator_count": 733,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "57 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a77cfcac37b94cdafabb0d",
          "name": "Outlook",
          "description": "IOCS",
          "modified": "2026-04-03T08:24:06.638000",
          "created": "2026-03-04T00:29:48.657000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 712,
            "domain": 759,
            "hostname": 194,
            "FileHash-SHA1": 148,
            "email": 37,
            "FileHash-SHA256": 437,
            "FileHash-MD5": 118,
            "CVE": 1
          },
          "indicator_count": 2406,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "58 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a6667cc81826a4ae1dd3ea",
          "name": "dropbox.com",
          "description": "Verdict\nWhitelisted\nIP Address\n162.125.248.18\nLocation\n\nUnited States\nASN\nAS19679 dropbox inc.\nNameservers\nns-1949.awsdns-51.co.uk.\n, \nns-315.awsdns-39.com.\nMore\nWHOIS\nRegistrar:\nMarkMonitor, Inc.,  \nCreation Date:\nJun 27, 1995\nRelated Pulses\nOTX User-Created Pulses (50)\nRelated Tags\n1747 Related Tags\n320700\n, \n368600\n, \n1575038779\n, \ngeoip\n, \nas54113\nMore\nIndicator Facts\n997 malicious files communicating\nHistorical OTX telemetry\nRunning webserver\n105 subdomains\nFilesharing\nSPF record\nPresent in Umbrella\nPresent in Majestic\nPresent in Akamai\nAntivirus Detections\nALF:E5.SpikeAex.DYNHASH\n, \nBackdoor:Win32/Drixed.J\n, \nCan't access file\n, \nTrojan:Win32/Banload.E\n, \nTrojan:Win32/Pariham.A\nMore\nAV Detection Ratio\n997\n / 1000\nExternal Resources\nWhois, \nUrlVoid, \nVirusTotal",
          "modified": "2026-04-02T04:35:49.117000",
          "created": "2026-03-03T04:41:32.619000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 318,
            "FileHash-MD5": 1055,
            "FileHash-SHA1": 1067,
            "FileHash-SHA256": 2018,
            "email": 6,
            "hostname": 210,
            "URL": 371
          },
          "indicator_count": 5045,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 70,
          "modified_text": "59 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6998d15c75b59044877602c1",
          "name": "Corrupt.... Files",
          "description": "beaware",
          "modified": "2026-04-01T00:44:45.494000",
          "created": "2026-02-20T21:25:48.559000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 706,
            "FileHash-SHA1": 859,
            "FileHash-SHA256": 1480,
            "URL": 743,
            "domain": 1565,
            "email": 55,
            "hostname": 912,
            "CVE": 54,
            "CIDR": 27
          },
          "indicator_count": 6401,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "60 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "699a8339b9e516069852d3e2",
          "name": "Whitelist Shell",
          "description": "Data Point for Further Review",
          "modified": "2026-04-01T00:44:45.494000",
          "created": "2026-02-22T04:16:57.040000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 39,
            "FileHash-MD5": 2,
            "FileHash-SHA1": 2,
            "hostname": 194,
            "email": 6,
            "URL": 187,
            "domain": 263,
            "CVE": 30
          },
          "indicator_count": 723,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "60 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a1535debec4128ab952040",
          "name": "I See You, Too. #.icu",
          "description": "The NSV4-ICU campaign exhibits a profound cryptographic and linguistic mismatch betokening a Western operator driving a foreign engine. While the tactical codebase utilizes GBK-encoded (Simplified Chinese) metadata, the binary logs reveal a definitive tradecraft failure: the presence of \u00ba\u00c3\u00b0\u00c9 (H\u01ceo ba), a conversational \"Alrighty.\" This is likely a failed attempt to utilize a foreign language on a Western-localized screen, resulting in \"Mojibake\" (garbage text) and the semantic error of identifying the developer as a \"Novelist\" (Zu\u00f2zh\u011b) rather than a \"Programmer.\"\nBy stripping Western UTF-8 telemetry through spoofed Nashville (BNA) and Apple/Google thumbprints, the operator confirms Local Root CA injection and a manual interception pipeline. The .icu (I See You) signature is ultimately undermined by the operator's own metadata\u2014effectively a Westerner shouting in a digital dialect they don't speak, creating a detectable encoding-latency signature that peels back the \"invisible typhoon\" mask.",
          "modified": "2026-04-01T00:44:45.494000",
          "created": "2026-02-27T08:18:37.071000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 294,
            "CVE": 22,
            "URL": 278,
            "FileHash-MD5": 234,
            "FileHash-SHA1": 240,
            "FileHash-SHA256": 1663,
            "hostname": 142,
            "YARA": 1,
            "email": 13,
            "CIDR": 2
          },
          "indicator_count": 2889,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "60 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a185462e3c17c346bcdf79",
          "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion",
          "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.",
          "modified": "2026-04-01T00:44:45.494000",
          "created": "2026-02-27T11:51:34.696000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 710,
            "URL": 355,
            "hostname": 252,
            "CVE": 4,
            "CIDR": 6,
            "FileHash-MD5": 615,
            "FileHash-SHA1": 585,
            "email": 21,
            "FileHash-SHA256": 4316,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 6866,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "60 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a2f3242bb4619c7c2d4d2a",
          "name": "Port 445 Infection",
          "description": "",
          "modified": "2026-04-01T00:44:45.494000",
          "created": "2026-02-28T13:52:36.661000",
          "tags": [
            "alerts",
            "yara detections",
            "analysis date",
            "file score",
            "unusual port",
            "potential scan",
            "infection yara",
            "pulses",
            "related tags",
            "brute force",
            "delphi",
            "copy"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 193,
            "FileHash-SHA1": 187,
            "FileHash-SHA256": 290,
            "domain": 149,
            "URL": 12,
            "CVE": 18,
            "hostname": 39,
            "email": 2
          },
          "indicator_count": 890,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "60 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a3231c063d36fb26d438c4",
          "name": "wordpress.com press key",
          "description": "WP hosted malware",
          "modified": "2026-04-01T00:44:45.494000",
          "created": "2026-02-28T17:17:16.939000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 1541,
            "FileHash-SHA1": 223,
            "URL": 4382,
            "email": 13,
            "hostname": 3063,
            "FileHash-MD5": 228,
            "FileHash-SHA256": 1429,
            "CIDR": 8
          },
          "indicator_count": 10887,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "60 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "698ef344417f9985660e698b",
          "name": "Pulse Data",
          "description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.",
          "modified": "2026-03-28T07:23:23.210000",
          "created": "2026-02-13T09:47:48.788000",
          "tags": [
            "imphash",
            "file type",
            "pulse pulses",
            "av detections",
            "ids detections",
            "yara detections",
            "alerts",
            "analysis date",
            "file score",
            "detections tls",
            "zeppelin"
          ],
          "references": [
            "",
            "4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq ,  aPLib ,  PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access "
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 646,
            "FileHash-SHA1": 604,
            "FileHash-SHA256": 1373,
            "hostname": 1143,
            "domain": 1381,
            "URL": 2537,
            "CVE": 101,
            "email": 25,
            "SSLCertFingerprint": 9
          },
          "indicator_count": 7819,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "64 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf64e1d5e06aa6207f78de",
          "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
          "description": "",
          "modified": "2026-03-27T00:30:39.055000",
          "created": "2026-03-22T03:41:21.863000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": "698e93e1ab02db8c49e8c3ed",
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 27572,
            "FileHash-SHA256": 46076,
            "FileHash-MD5": 42177,
            "FileHash-SHA1": 22874,
            "hostname": 33438,
            "URL": 74810,
            "SSLCertFingerprint": 21,
            "CVE": 7579,
            "email": 297,
            "FileHash-IMPHASH": 8,
            "CIDR": 26203,
            "JA3": 1
          },
          "indicator_count": 281056,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 149,
          "modified_text": "65 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf64eccb5d39a90a3c391e",
          "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
          "description": "",
          "modified": "2026-03-27T00:30:39.055000",
          "created": "2026-03-22T03:41:32.565000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": "698e93e1ab02db8c49e8c3ed",
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 27572,
            "FileHash-SHA256": 46076,
            "FileHash-MD5": 42177,
            "FileHash-SHA1": 22874,
            "hostname": 33438,
            "URL": 74810,
            "SSLCertFingerprint": 21,
            "CVE": 7579,
            "email": 297,
            "FileHash-IMPHASH": 8,
            "CIDR": 26203,
            "JA3": 1
          },
          "indicator_count": 281056,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 152,
          "modified_text": "65 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bea426487bffa5384c6f38",
          "name": " Brian Sabey illegally deleting IoC\u2019s | SWIPPER - Pornhub\u00bbX.Com migration to Twitter Sabey Erasing",
          "description": "",
          "modified": "2026-03-21T13:59:02.016000",
          "created": "2026-03-21T13:59:02.016000",
          "tags": [
            "url https",
            "filehashsha256",
            "browse scan",
            "report spam",
            "author",
            "output",
            "tsara brashears",
            "created",
            "days ago",
            "showing",
            "trojan",
            "win32",
            "msil",
            "trojanspy",
            "virtool",
            "scan endpoints",
            "all search",
            "otx scoreblue",
            "author avatar",
            "fraud",
            "june",
            "worm",
            "search",
            "tsara type",
            "indicator role",
            "title added",
            "active related",
            "pulses url",
            "url http",
            "ipv6",
            "type indicator",
            "role title",
            "added active",
            "related pulses",
            "sort",
            "least",
            "researched",
            "f https",
            "scan",
            "iocs",
            "learn more",
            "filehashmd5",
            "hostname",
            "domain",
            "indicators show",
            "browser",
            "unsupported",
            "view",
            "continue",
            "watch tsara",
            "searchtsa",
            "brashears",
            "most relevant",
            "porn videos",
            "download",
            "google search",
            "open threat",
            "babe",
            "green",
            "daily",
            "play",
            "fullscreen",
            "tsara",
            "videos",
            "love",
            "top tsara",
            "xxx videos",
            "hardcore porn",
            "jeffrey reimer",
            "puts",
            "porn",
            "javascript",
            "body",
            "creation date",
            "record value",
            "united",
            "gmt content",
            "gmt max",
            "age900",
            "httponly x",
            "date",
            "unknown",
            "pragma",
            "levelblue",
            "exchange open",
            "threat exchange",
            "indicator",
            "safebae",
            "get involved",
            "anyone else",
            "press",
            "data reports",
            "teen students",
            "become",
            "chapter lead",
            "become a",
            "certified peer",
            "district",
            "brian sabey",
            "sabey data",
            "hallrender",
            "sabey data centers",
            "swipper",
            "mark b sabey",
            "m brian sabey",
            "2beeg",
            "thebrotherssabey",
            "urls",
            "show",
            "cloudflarenet",
            "us urlscan",
            "skip",
            "accessibility",
            "all images",
            "videos shopping",
            "forums news",
            "web more",
            "tools",
            "service",
            "malicious",
            "size",
            "recent",
            "off blur",
            "find",
            "summary",
            "securitytrails",
            "urlscan https",
            "tryporn",
            "icann whois",
            "data problem",
            "disclaimer",
            "judaporn",
            "kompoz",
            "blur filter",
            "search results",
            "xxxvideohd",
            "hacker news",
            "item",
            "url",
            "website",
            "web",
            "scanner",
            "analyze",
            "analyzer",
            "september",
            "domains",
            "sale worldwide",
            "street",
            "gate parkway",
            "stateprovince",
            "postal code",
            "route",
            "open",
            "watch",
            "links",
            "footer",
            "delete see",
            "delete c",
            "tofsee",
            "grum",
            "entries",
            "cape",
            "high",
            "total",
            "copy",
            "write",
            "malware",
            "patched",
            "next",
            "please"
          ],
          "references": [
            "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
            "thebrotherssabey.wordpress.com | https://hallrender.com/attorney/brian-sabey",
            "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm",
            "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/",
            "https://SafeBae.org |  https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
            "http://sexiezpics.com/tsara-brashears-hardcore-porn | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
            "https://urlscan.io/domain/cdn2e-videos2.yjcontentdelivery.com | http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html",
            "https://www.google.com/search?client=ms-android-tcl-rvo2b&sca_esv=677ff2260c38da6a&sca_upv=1&q=tsara%20brashears&tbm=vid&source=lnms&fbs=AEQNm0Aa4sjWe7Rqy32pFwRj0UkWd8nbOJfsBGGB5IQQO6L3J5MIFhvnvU242yFxzEEp3BfRFWcyM5BvpTgNzM3vKj4sz-C2iLdc_0v0iAkScdtYjVPIGyVlvwujMCY6xcQ3LIupWIQPyPPfztGwIqpQ9H2EXqXXY4GBGq8hpekXoFuduDqktZzSriMQxAlKPjQviXaDVnUYcgWw9ejzcyECyIGanCUinw&sa=X&biw=1128&bih=1971&dpr=2&no_sw_cr=1&zx=1724209326040&sssc=1",
            "bfxxxhindi.to | https://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "https://billpay.stcu.org/csp/ws/ALKAMI-S5M/html/PC_Remote_Role_Due_XP_Help/role1_faq_email_notifications.html  billpay.stcu.org",
            "bfxxxhindi.to  www.bfxxxhindi.to  https://www.bfxxxhindi.to   tsara brashears bfxxxhindi.to https://www.bfxxxhindi.to/trend/eaUvPMTg3NzMytY07Q/",
            "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/",
            "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/. http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
            "http://alohatube.xyz/search/tsara-brashears  http://alohatube.xyz/search/tsara-brashears/",
            "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html",
            "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medic",
            "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medical-center",
            "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html",
            "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-medical.html",
            "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html",
            "http://videolal.com/tsara-brashears-assaulted-by-jeffrey-reimer.html  http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html",
            "http://videolal.com/tsara-brashears-pueblo.html , http://videolal.com/tsara-brashears.html",
            "http://pornbitter.com/storage/tsara-brashears/  http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru",
            "http://browntubeporn.com/tsara-brashears.html  browntubeporn.com  http://pornvideoj.com/tsara-brashears.htm",
            "pornhub.com/gay/video/search?search=tsara%2Blynn%2Bbrashears%2Blesbian",
            "feestzalenvanvlaanderen.be  www.gdsl-pallemoebler.info  http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us",
            "http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us  www.tryporn.net",
            "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru  feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info",
            "http://www.tryporn.net/seach/tsara-brashears/  hicksandchicks.org redpornvideos.net   http://advocate-smyslova.ru/tsara-brashears/",
            "http://flexporn.net/tsara-brashears.html  http://onlyindianporn.net/videos/tsara-brashears/  http://pornbitter.com/storage/tsara-brashears/",
            "http://pornpx.com/trends/tsara-brashears-submission-on-august-27-via-manual/1/ http://www.potnhub.org/tsara-brashears.html",
            "http://www.bukaporn.net/trend/tsara-brashears/  http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra",
            "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
            "www.sexpornimages.com http://hicksandchicks.org/ju/tsara-brashears/  hlebo.mobi  pornpx.com  www.potnhub.org",
            "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language  http://www.music-forum.",
            "http://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/  http://redpornvideos.net/tsara-brashears.html",
            "https://wallpapers-nature.com/  https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
            "https://wallpapers-nature.com/tsara-brashears/urlscan-io   https://www.sweetheartvideo.com/tsara-brashears",
            "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net  https://www.sweetheartvideo.com/tsara-brashears/",
            "https://www.sweetheartvideo.com/tsara-brashears/ | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
            "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language | https://wallpapers-nature.com/tsara-brashears/urlscan-io",
            "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
            "https://xlxx.mobi phishing\thttps://2beeg.me   https://2beeg.net  https://www.redporn.video   https://youjizz.sex  2beeg.me xlxx.mobi ladys.one",
            "tsara-brashears-deadspin-twitter-suspended-account-help.ht  videolal.com  wallpapers-nature.com   www.sweetheartvideo.com",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/  Domain mom2fuck.mobi   https://youjizz.sex/tsara-brashears.html   https://youjizz.sex",
            "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears",
            "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer  http://pixelrz.com/lists/keywords/brashears-tsara-buzz-news",
            "http://pixelrz.com/lists/keywords/%20dr-jeffrey-reimer-dpt-funds-tsara-brashears/ https://xlxx.mobi",
            "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/  orangeporntube.net   www.tryporno.net",
            "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception  http://pixelrz.com/lists/keywords/tsara-brashears-dead/  http://orangeporntube.net/tsara-brashears.html",
            "http://www.tryporno.net/movies/tsara-brashears/  http://www.pixelrz.com/lists/keywords/tsara-brashears/",
            "https://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/  sexiezpics.com",
            "http://sexiezpics.com/tsara-brashears-hardcore-porn http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
            "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/   http://pornohata.com/mov/tsara-brashears/",
            "http://onlyindianporn2.com/videos/tsara-brashears/   onlyindianporn2.com-porn.html   aninditaannisa.blogspot.com   porno-trash.net",
            "myhotzpic.com  pornohata.com pornstarsporno.net aninditaannisa.blogspot.com/2019/02/tsara-brashears",
            "http://pornstarsporno.net/tsara-brashears.html  http://vtwctr.org/explore/inmate-tsara-brashears/",
            "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara%20-brashears-massage-nearby.html",
            "Hostname aninditaannisa.blogspot.com No Expiration\t0\t  URL aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html  billpay.stcu.org",
            "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
            "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/",
            "thebrotherssabey.wordpress.com http://www.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com",
            "http://go.sabey.com http://vpn2.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com |",
            "http://itsupport.sabey.com http://www.sabey.com | http://root.sabeydatacenters.com/ | http://server1.sabeydatacenters.com | http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com",
            "http://sabey.com/construction/ | https://tulach.cc/ | sabeydatacenters.com | https://thebrotherssabey.com | http://root.sabeydatacenters.com/ No Expiration\t0\t  URL http://server1.sabeydatacenters.com No Expiration\t0\t  URL http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com | http://staging.sabeydatacenters.com",
            "https://info.sabeydatacenters.com/webmail/404532/1590752290/6c9ed1e0b6b364689835e8c6bd51ed2198f99ee8ec7fa1924787e4e9b6382872",
            "forceusercontent.com | sabey.com | tulach.cc | http://thebrotherssabey.com/2018m.sabeydatacenters.com | https://www.vpn.sabey.com/",
            "root.sabeydatacenters.com | server1.sabeydatacenters.com | smtps.sabeydatacenters.com | smtpseguro.sabeydatacenters.com",
            "https://thebrotherssabey.com | https://thebrotherssabey.com/2015/08/24/why | staging.sabeydatacenters.com |",
            "authsmtp.sabeydatacenters.com | go.sabey.com | thebrotherssabey.com | mx5.sabeydatacenters.com | posta.sabeydatacenters.com",
            "remote.files.downloadnow-1.com | remote.sabeydatacenters.com | poczta.sabeydatacenters.com | pop.sabeydatacenters.com",
            "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/20",
            "https://thebrotherssabey.com/2015/08/24/why  | https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2017/04/17/truth",
            "https://thebrotherssabey.com/2016/01/18/ballroom | resources.sabeydatacenters.com | https://thebrotherssabey.com/feed/",
            "https://thebrotherssabey.com/comments/feed/ | mail2.sabeydatacenters.com | mails.sabeydatacenters.com | newmail.sabeydatacenters.com",
            "http://staging.sabeydatacenters.com | https://sabey.com/careers/ | https://vpn2.sabey.com | https://www.sabey.com | https://www.vpn.sabey.com |",
            "https://info.sabeydatacenters.com/emailPreference/epc/404532/EcSDdxFsTp4vgdAzwbcD5rWn7oROwp5s8Buq0L48dF0/732bdcab2311714bb73d4d507e6508d215afb4dbc511",
            "1a8fc49a4265fe146976/1523680312 |  https://thebrotherssabey.com/2018/04/22/the  |  https://thebrotherssabey.com/2019/07/08/suffering",
            "https://info.sabeydatacenters.com/listUnsubscribeHeader/u/404532/732bdcab2311714bb73d4d507e6508d215afb4dbc5111a8fc49a4265fe14697",
            "https://info.sabeydatacenters.com/r/404532/1/1523680312/open/1 | http://onlyindianporn2.com/videos/dia-sabey/?p=13",
            "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/discourse | onlyindianporn2.com",
            "https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter | https://thebrotherssabey.com/author/dbsabey/",
            "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/category/homosexuality",
            "https://thebrotherssabey.com/2018/12/05/nature-of-scripture-part-5-conclusions/ | https://thebrotherssabey.com/2019/08/01/why",
            "mypornvid.fun | porn100.tv | amp.mypornvid.fun | cdn10.mypornvid.fun | cdn11.mypornvid.fun | cdn5.mypornvid.fun | cdn8.mypornvid.fun",
            "www.anyxxxtube.net | sv2.mypornvid.fun | www.porn100.tv | www.redporn.video | https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing |",
            "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears",
            "anybunny.tv | http://anybunny.tv/search/eva-lisa | http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us",
            "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-nearby.html. |",
            "http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concent | http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge",
            "onlyindianporn.tv | sexpornimages.com | http://www.sexpornimages.com/hillary/hillary-clinton",
            "https://mypornvid.fun/videos/3/o00vnGgcVx0/dude-sex-fuck-a-deer-wapporn-video-com/fuck-deer",
            "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
            "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/ | http://videolal.com/tsara-brashears-dead-by-daylight.html",
            "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html | http://videolal.com/tsara-brashears-dead.html |",
            "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/2019/01/20/miracle/",
            "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html | tsara-brashears-deadspin-twitter-suspended-account-help.ht",
            "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2017/04/17/truth",
            "https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2016/01/18/ballroom",
            "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/category/pregnancy",
            "https://thebrotherssabey.com/feed/ | https://thebrotherssabey.com/discourse | https://thebrotherssabey.com/comments/feed/",
            "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/20 | https://thebrotherssabey.com | https://thebrotherssabey.com",
            "http://thebrotherssabey.com/2018 | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/2019/07/08/suffering",
            "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/category/homosexuality",
            "https://thebrotherssabey.com/author/thebrotherssabey/  | https://thebrotherssabey.com/author/dbsabey/",
            "http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/ | https://www.applefilmaker.com | https://www.applefilmaker.com/1odbU3D",
            "www.wwwgitlab.gitlab.git.git.gitlab.git.128-199-7-137.cprapid.com",
            "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/",
            "https://hallrender.com/attorney/brian-sabey | https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter",
            "storage.ladys.one ladys.one: | http://photos.ladys.one ladys.one: | http://porno.ladys.one ladys.one: | http://storage.ladys.one ladys.one: | http://xxx-videos.ladys.one ladys.one:",
            "http://www.xvxx.me/clips/nadia-ali-hardcore/199530/",
            "https://kompoz2.com/tv/454575/blonde-slut-sara-jay-with-big-ass-is-fucked-in-doggy-style.html",
            "http://onlyindianporn2.com/videos/vichatter-young-11//title/0.7292669771257236"
          ],
          "public": 1,
          "adversary": "Brian Sabey | Tulach | Sabey Data Centers",
          "targeted_countries": [
            "United States of America",
            "Netherlands",
            "United Kingdom of Great Britain and Northern Ireland"
          ],
          "malware_families": [
            {
              "id": "Win32/Tofsee.AX",
              "display_name": "Win32/Tofsee.AX",
              "target": null
            },
            {
              "id": "Trojan:Win32/Muldrop",
              "display_name": "Trojan:Win32/Muldrop",
              "target": "/malware/Trojan:Win32/Muldrop"
            }
          ],
          "attack_ids": [
            {
              "id": "T1125",
              "name": "Video Capture",
              "display_name": "T1125 - Video Capture"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1190",
              "name": "Exploit Public-Facing Application",
              "display_name": "T1190 - Exploit Public-Facing Application"
            },
            {
              "id": "T1472",
              "name": "Generate Fraudulent Advertising Revenue",
              "display_name": "T1472 - Generate Fraudulent Advertising Revenue"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "T1586.001",
              "name": "Social Media Accounts",
              "display_name": "T1586.001 - Social Media Accounts"
            },
            {
              "id": "T1055.013",
              "name": "Process Doppelg\u00e4nging",
              "display_name": "T1055.013 - Process Doppelg\u00e4nging"
            },
            {
              "id": "T1080",
              "name": "Taint Shared Content",
              "display_name": "T1080 - Taint Shared Content"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66eb08c239be3721ab6c9050",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 121,
            "FileHash-SHA1": 116,
            "FileHash-SHA256": 443,
            "URL": 1878,
            "domain": 312,
            "hostname": 518,
            "email": 5,
            "CIDR": 1,
            "SSLCertFingerprint": 1
          },
          "indicator_count": 3395,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "70 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "",
        "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
        "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e",
        "http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
        "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/   (confirmed transactional agreement)",
        "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-medical.html",
        "https://info.sabeydatacenters.com/emailPreference/epc/404532/EcSDdxFsTp4vgdAzwbcD5rWn7oROwp5s8Buq0L48dF0/732bdcab2311714bb73d4d507e6508d215afb4dbc511",
        "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/20 | https://thebrotherssabey.com | https://thebrotherssabey.com",
        "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception  http://pixelrz.com/lists/keywords/tsara-brashears-dead/  http://orangeporntube.net/tsara-brashears.html",
        "T1110.001 (Brute Force: Password Guessing)",
        "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
        "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "Project Endgame - pegausintel.com -Unsjre if related to NSO Group",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/",
        "CNC Hostname:  urlspirit.spiritsoft.cn",
        "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html",
        "myhotzpic.com  pornohata.com pornstarsporno.net aninditaannisa.blogspot.com/2019/02/tsara-brashears",
        "http://pixelrz.com/lists/keywords/tsara-brashears-dead    (unconfirmed death)",
        "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
        "https://vtbehaviour.commondatastorage.googleapis.com/c915c30bfba565e05ccdea80427ffcba415831161e38e81eccbc893e8eb0bf83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431449&Signature=PDRco%2B36G08WhkVripJBX%2FKsew%2Fqdtv%2BE4v4qZ%2BxTtqIWv%2BbUShaZJk4oroxSc0hAtyIuEAY0Fl7s%2FjNS%2FYPoQ1iU9EMWYaxvd0Sl1%2F%2BEc%2Foq9dc3YP5F0muq56mEXdREOlePA54%2BObbmwRbWR4mwAkK%2FuAkYzpAtJKkLJRZ6GQ0sbyCC5VdaAT3OMhtFkTKCtx5Wk2ZTdGZT5ASe3hD4xmg219rX3t5uV8j",
        "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net",
        "https://thebrotherssabey.com/feed/ | https://thebrotherssabey.com/discourse | https://thebrotherssabey.com/comments/feed/",
        "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022  52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
        "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile",
        "Yara Detections: is__elf ,  DemonBot",
        "thebrotherssabey.wordpress.com | https://hallrender.com/attorney/brian-sabey",
        "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
        "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
        "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
        "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.",
        "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net",
        "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/. http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "pornhub.com/gay/video/search?search=tsara%2Blynn%2Bbrashears%2Blesbian",
        "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
        "www.pornhubselect.com | pornhub.software",
        "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431564&Signature=x%2BpjgWuHJOMK96wkAkxWnO%2BvWXDtko8QpNc0JQs9qrmHA1DtI9OB1F4jxixqRaySdJpP0JpTJK%2BRxE8sVad9wh3wtqgIhtbiihOX2%2FXHa7ukyAZOuMkh8fVLwIUVkxrObXKFDv8CiRAzdRemUPxSH%2FYmbOPY2eYs7UbUQp%2B93VYGCAMTuaztTey%2F1T8DM1tWLfxE5nKn3j7VigVpXMi8228oo%2B7ofaOVz3A%2FZKMZ1gKD",
        "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431586&Signature=mg5jUjSQG5fVQ2idj9wgQGE6D7neQXnBJ4xAD50pgEFgszvmZvrLrvz5RjR00uX4f7Gs2afv8MUs272SCXfylMEo1EhlVujdxecw4%2Ftn9jdYUfSDpqu0quw4dkL1YXviPoAcCJLaKrrvBsQMT468PPk4VwiDZbq2JNrZZwt1qXHmZFe3X5CHabJJE0ORZBwBH0jMYUE%2BWIvGzkZ%2Bul4ufi3xgsgA%2BoN0jUlIddwaoZA4eQeYVlQ388DLeonSjl",
        "Malware Behavior Catalog: Operating System OC0008  \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022  :  Tree Anti-Behavioral Analysis",
        "Pool's Closed",
        "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/",
        "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052",
        "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/  ( badgering. libel)",
        "https://vtbehaviour.commondatastorage.googleapis.com/91031d16ab93fe5d7f8dc7a55b4bbb8e23742c774ad467f67e2e1681e5439fb9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431033&Signature=tDkjksSltx3F6MPqpr8Xf%2BIAVxBBNNTifbGimbXIX5DCrLCZugVQF%2B7kCV%2BJ3RQ1lKt1eMcfTaQ3FUvgjt7%2F3uEgdHY390sywG9OdYe2HZMJHg%2BYNxsAIe8n7UIa22pLVZNqhDSymVa0VyJAEZb8B2t7gNdGsBLQKQ7GyJ2iYAz4NklXYQPVUZoWObKt0eggHoV3wJUWM%2BQKxWSnPP6HQ8wusnitHIEqxdfckeRTMZR9zlIg31",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "IP\u2019s Contacted: 192.124.249.187",
        "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/    (unconfirmed crime)",
        "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
        "www.sexpornimages.com http://hicksandchicks.org/ju/tsara-brashears/  hlebo.mobi  pornpx.com  www.potnhub.org",
        "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
        "forceusercontent.com | sabey.com | tulach.cc | http://thebrotherssabey.com/2018m.sabeydatacenters.com | https://www.vpn.sabey.com/",
        "Yara Detections: compromised_site_redirector_fromcharcode ,  Cabinet_Archive ,  SFX_CAB",
        "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845",
        "Tofsee: 'google.com' |  https://www.gov50.icu |",
        "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6",
        "https://www.google.com/search?client=ms-android-tcl-rvo2b&sca_esv=677ff2260c38da6a&sca_upv=1&q=tsara%20brashears&tbm=vid&source=lnms&fbs=AEQNm0Aa4sjWe7Rqy32pFwRj0UkWd8nbOJfsBGGB5IQQO6L3J5MIFhvnvU242yFxzEEp3BfRFWcyM5BvpTgNzM3vKj4sz-C2iLdc_0v0iAkScdtYjVPIGyVlvwujMCY6xcQ3LIupWIQPyPPfztGwIqpQ9H2EXqXXY4GBGq8hpekXoFuduDqktZzSriMQxAlKPjQviXaDVnUYcgWw9ejzcyECyIGanCUinw&sa=X&biw=1128&bih=1971&dpr=2&no_sw_cr=1&zx=1724209326040&sssc=1",
        "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean",
        "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
        "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
        "http://sexiezpics.com/tsara-brashears-hardcore-porn | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
        "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
        "TrojanSpy:Win32/Nivdort.CW:  FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
        "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
        "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.",
        "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin",
        "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net  https://www.sweetheartvideo.com/tsara-brashears/",
        "FileHash - SHA256  f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
        "DDoS:Linux/Gafgyt : FileHash - SHA256  358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
        "CNC IPv4:  107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
        "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
        "http://flexporn.net/tsara-brashears.html  http://onlyindianporn.net/videos/tsara-brashears/  http://pornbitter.com/storage/tsara-brashears/",
        "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
        "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
        "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language  http://www.music-forum.",
        "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
        "http://pixelrz.com/lists/keywords/%20dr-jeffrey-reimer-dpt-funds-tsara-brashears/ https://xlxx.mobi",
        "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539",
        "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
        "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
        "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.",
        "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc",
        "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0",
        "http://www.tryporn.net/seach/tsara-brashears/  hicksandchicks.org redpornvideos.net   http://advocate-smyslova.ru/tsara-brashears/",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "http://onlyindianporn2.com/videos/tsara-brashears/   onlyindianporn2.com-porn.html   aninditaannisa.blogspot.com   porno-trash.net",
        "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee",
        "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
        "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
        "remote.files.downloadnow-1.com | remote.sabeydatacenters.com | poczta.sabeydatacenters.com | pop.sabeydatacenters.com",
        "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
        "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
        "http://www.bukaporn.net/trend/tsara-brashears/  http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra",
        "1a8fc49a4265fe146976/1523680312 |  https://thebrotherssabey.com/2018/04/22/the  |  https://thebrotherssabey.com/2019/07/08/suffering",
        "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears",
        "https://thebrotherssabey.com | https://thebrotherssabey.com/2015/08/24/why | staging.sabeydatacenters.com |",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "https://hallrender.com/attorney/brian-sabey | https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter",
        "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893",
        "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527",
        "https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2016/01/18/ballroom",
        "http://alohatube.xyz/search/tsara-brashears  http://alohatube.xyz/search/tsara-brashears/",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339",
        "http://pornbitter.com/storage/tsara-brashears/  http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru",
        "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com'  monitoring targeted apple device\u2193",
        "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a",
        "http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us  www.tryporn.net",
        "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
        "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
        "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
        "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
        "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru  feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info",
        "Antivirus Detections Cryp_Xed-12 ,  Mal/Generic-S ,  Packed/Upack Yara Detections Upackv039finalDwing ,  UpackV037Dwing",
        "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
        "http://sabey.com/construction/ | https://tulach.cc/ | sabeydatacenters.com | https://thebrotherssabey.com | http://root.sabeydatacenters.com/ No Expiration\t0\t  URL http://server1.sabeydatacenters.com No Expiration\t0\t  URL http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com | http://staging.sabeydatacenters.com",
        "compromised_site_redirector_fromcharcode fromCharCode",
        "Resource: https://crt.sh/?q=privaterelay.appleid.com",
        "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
        "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV",
        "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b",
        "f.search schema.org  t.final",
        "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "applestore.net",
        "https://thebrotherssabey.com/2015/08/24/why  | https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2017/04/17/truth",
        "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
        "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx",
        "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
        "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medical-center",
        "www.wwwgitlab.gitlab.git.git.gitlab.git.128-199-7-137.cprapid.com",
        "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] ,  Unix.Trojan.Xorddos-1 ,",
        "https://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/  sexiezpics.com",
        "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
        "http://thebrotherssabey.com/2018 | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/2019/07/08/suffering",
        "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
        "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"",
        "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "https://info.sabeydatacenters.com/r/404532/1/1523680312/open/1 | http://onlyindianporn2.com/videos/dia-sabey/?p=13",
        "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
        "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara%20-brashears-massage-nearby.html",
        "https://mypornvid.fun/videos/3/o00vnGgcVx0/dude-sex-fuck-a-deer-wapporn-video-com/fuck-deer",
        "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
        "Hostname aninditaannisa.blogspot.com No Expiration\t0\t  URL aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html  billpay.stcu.org",
        "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
        "https://hallrender.com/attorney/brian-sabey",
        "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
        "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk  antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
        "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net",
        "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
        "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120",
        "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm",
        "http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concent | http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge",
        "http://itsupport.sabey.com http://www.sabey.com | http://root.sabeydatacenters.com/ | http://server1.sabeydatacenters.com | http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com",
        "CnC IP's: 192.187.111.221  63.141.242.43  63.141.242.44  63.141.242.46 81.17.18.195  81.17.18.197 81.17.29.146  81.17.29.148",
        "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/",
        "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
        "bfxxxhindi.to  www.bfxxxhindi.to  https://www.bfxxxhindi.to   tsara brashears bfxxxhindi.to https://www.bfxxxhindi.to/trend/eaUvPMTg3NzMytY07Q/",
        "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431302&Signature=VN0Lo6N8srKzgIyGy%2B2YBOQ%2BngCQJsbj8jycOiDUs3CpGIyP8pZyyC326od%2FfI41dky2kAUXq4L2f1AHLLukNksIcompwOACdBTaq%2B6r%2FyNhhrsOVLiVCA4wkuZX%2Bjz5eRA8KhG7BcGA1Z8ERy3OYr1b5gS4cUton8nwnqvSE7ZH6dFOkbdhFiX%2FwmTQbOzFCCqJWT0%2FJJZQaXyWSitlkG3IN8RyMOUpjxyT9fwh51%2FT",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
        "https://kompoz2.com/tv/454575/blonde-slut-sara-jay-with-big-ass-is-fucked-in-doggy-style.html",
        "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
        "smartphonesonline.co.uk  https://smartphonesonline.co.uk/  https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "Pool Closed",
        "http://browntubeporn.com/tsara-brashears.html  browntubeporn.com  http://pornvideoj.com/tsara-brashears.htm",
        "mypornvid.fun | porn100.tv | amp.mypornvid.fun | cdn10.mypornvid.fun | cdn11.mypornvid.fun | cdn5.mypornvid.fun | cdn8.mypornvid.fun",
        "Malware Behavior Catalog:  Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003",
        "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
        "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
        "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c",
        "http://pixelrz.com/lists/suggestions/rs485-arduino/",
        "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022",
        "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/20",
        "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).",
        "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534",
        "https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter | https://thebrotherssabey.com/author/dbsabey/",
        "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
        "https://info.sabeydatacenters.com/webmail/404532/1590752290/6c9ed1e0b6b364689835e8c6bd51ed2198f99ee8ec7fa1924787e4e9b6382872",
        "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
        "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes.",
        "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect",
        "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
        "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov",
        "https://thebrotherssabey.com/2016/01/18/ballroom | resources.sabeydatacenters.com | https://thebrotherssabey.com/feed/",
        "Alerts: cape_detected_threat cape_extracted_content",
        "https://xlxx.mobi phishing\thttps://2beeg.me   https://2beeg.net  https://www.redporn.video   https://youjizz.sex  2beeg.me xlxx.mobi ladys.one",
        "https://otx.alienvault.com/indicator/ip/63.141.242.45",
        "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO",
        "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.",
        "www.anyxxxtube.net | sv2.mypornvid.fun | www.porn100.tv | www.redporn.video | https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing |",
        "authsmtp.sabeydatacenters.com | go.sabey.com | thebrotherssabey.com | mx5.sabeydatacenters.com | posta.sabeydatacenters.com",
        "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
        "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
        "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
        "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden",
        "thebrotherssabey.wordpress.com http://www.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com",
        "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medic",
        "http://www.xvxx.me/clips/nadia-ali-hardcore/199530/",
        "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02",
        "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
        "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window",
        "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/discourse | onlyindianporn2.com",
        "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html | http://videolal.com/tsara-brashears-dead.html |",
        "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html | tsara-brashears-deadspin-twitter-suspended-account-help.ht",
        "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/",
        "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
        "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437",
        "http://Object.prototype.hasOwnProperty.call",
        "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
        "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf",
        "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
        "http://notredamewormhoutnet.appleid.com/",
        "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.",
        "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
        "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/",
        "https://thebrotherssabey.com/author/thebrotherssabey/  | https://thebrotherssabey.com/author/dbsabey/",
        "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net",
        "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/  orangeporntube.net   www.tryporno.net",
        "http://videolal.com/tsara-brashears-assaulted-by-jeffrey-reimer.html  http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/  Domain mom2fuck.mobi   https://youjizz.sex/tsara-brashears.html   https://youjizz.sex",
        "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022  File System OC0001",
        "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
        "http://certs.apple.com/appleistca2g1_bc.cer",
        "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
        "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166",
        "http://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/  http://redpornvideos.net/tsara-brashears.html",
        "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
        "anybunny.tv | http://anybunny.tv/search/eva-lisa | http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us",
        "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/2019/01/20/miracle/",
        "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
        "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/category/homosexuality",
        "hubt.pornhub.com | www.pornhub.com | pornative.com",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
        "https://wallpapers-nature.com/  https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
        "http://go.sabey.com http://vpn2.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com |",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
        "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
        "http://pornstarsporno.net/tsara-brashears.html  http://vtwctr.org/explore/inmate-tsara-brashears/",
        "IDS Detections: WGET Command Specifying Output in HTTP Headers",
        "http://www.northpoleroute.com/78985064&type=0&resid=5312625",
        "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
        "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2017/04/17/truth",
        "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
        "feestzalenvanvlaanderen.be  www.gdsl-pallemoebler.info  http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us",
        "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943",
        "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
        "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
        "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz",
        "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
        "https://SafeBae.org |  https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
        "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html",
        "https://wallpapers-nature.com/tsara-brashears/urlscan-io   https://www.sweetheartvideo.com/tsara-brashears",
        "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758",
        "news-publisher.pictures",
        "https://vtbehaviour.commondatastorage.googleapis.com/f26944950ccf7fd4422662d575c0b3698670e1b19d76fe386c20058ea4ea991f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431338&Signature=FoZZNyxGwBJKtHZSxcj9EHaeRdEMbmfNE6I04ld5vuYz8v2b9G%2Bwt0JlXl6N1uR2a9k4YqZln0HWuPEsYhjLjy3e465eqqg1UIPsLLqvH%2BmT7ox8n7TU%2B54qFOkQtrqoj3cO%2BSeZXnlXHOzxx9rdozltX%2FZ%2BOw1i5z%2FzvLy%2FlI3NhUcyIPbiD3yhM6DqHS%2Fyt7x5bhd5cz18yhPyQq7CNoW%2Fx%2B5aj4d6lWRgPVoBfaoqi33C",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/   http://pornohata.com/mov/tsara-brashears/",
        "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile",
        "https://urlscan.io/domain/cdn2e-videos2.yjcontentdelivery.com | http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html",
        "http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/ | https://www.applefilmaker.com | https://www.applefilmaker.com/1odbU3D",
        "root.sabeydatacenters.com | server1.sabeydatacenters.com | smtps.sabeydatacenters.com | smtpseguro.sabeydatacenters.com",
        "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019",
        "Do Not Run",
        "P\u2019s Contacted:  93.184.221.240  3.33.130.190 |  Domains Contacted: counterslocal.com",
        "airinthemorning.net",
        "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9",
        "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
        "http://staging.sabeydatacenters.com | https://sabey.com/careers/ | https://vpn2.sabey.com | https://www.sabey.com | https://www.vpn.sabey.com |",
        "http://hidden-camera-public-nudity.tubesporno.com  (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
        "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
        "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec",
        "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
        "4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq ,  aPLib ,  PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access ",
        "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/",
        "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language | https://wallpapers-nature.com/tsara-brashears/urlscan-io",
        "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/category/homosexuality",
        "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77",
        "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
        "https://otx.alienvault.com/indicator/ip/162.222.213.199",
        "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/category/pregnancy",
        "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "https://info.sabeydatacenters.com/listUnsubscribeHeader/u/404532/732bdcab2311714bb73d4d507e6508d215afb4dbc5111a8fc49a4265fe14697",
        "onlyindianporn.tv | sexpornimages.com | http://www.sexpornimages.com/hillary/hillary-clinton",
        "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
        "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
        "fmfmobile.fe.apple-dns.net",
        "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
        "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb",
        "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4",
        "Research Suggests:",
        "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
        "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html",
        "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-nearby.html. |",
        "https://tulach.cc/ | tulach.cc |",
        "p155-fmfmobile.icloud.com",
        "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml",
        "http://onlyindianporn2.com/videos/vichatter-young-11//title/0.7292669771257236",
        "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer  http://pixelrz.com/lists/keywords/brashears-tsara-buzz-news",
        "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png",
        "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.",
        "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
        "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f",
        "https://thebrotherssabey.com/2018/12/05/nature-of-scripture-part-5-conclusions/ | https://thebrotherssabey.com/2019/08/01/why",
        "https://www.sweetheartvideo.com/tsara-brashears/ | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
        "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus",
        "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f",
        "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad",
        "bfxxxhindi.to | https://www.anyxxxtube.net/search-porn/tsara-brashears/",
        "Trojan:Linux/Xorddos:  FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559",
        "http://pornpx.com/trends/tsara-brashears-submission-on-august-27-via-manual/1/ http://www.potnhub.org/tsara-brashears.html",
        "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.",
        "What's going on here judiciary? Karen - cisa.gov?  e.final",
        "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP",
        "Resource: https://urlscan.io/domain/privaterelay.appleid.com",
        "tsara-brashears-deadspin-twitter-suspended-account-help.ht  videolal.com  wallpapers-nature.com   www.sweetheartvideo.com",
        "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/ | http://videolal.com/tsara-brashears-dead-by-daylight.html",
        "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
        "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
        "storage.ladys.one ladys.one: | http://photos.ladys.one ladys.one: | http://porno.ladys.one ladys.one: | http://storage.ladys.one ladys.one: | http://xxx-videos.ladys.one ladys.one:",
        "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer  (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
        "https://dc-mx.d3525d602ca2.pixelrz.com",
        "DISTINCTIO8.pdf",
        "https://thebrotherssabey.com/comments/feed/ | mail2.sabeydatacenters.com | mails.sabeydatacenters.com | newmail.sabeydatacenters.com",
        "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.",
        "Tulach! It's been a minute - 114.114.114.114",
        "http://videolal.com/tsara-brashears-pueblo.html , http://videolal.com/tsara-brashears.html",
        "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
        "Yara Detections: is__elf ,  xorddos ,  LinuxXorDDoS_VariantTwo",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ||  pin.it || https://pin.it/",
        "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
        "\u2193Command and Control \u2193",
        "developer.huawei.com",
        "IDS Detections: Andariel Backdoor Activity (Checkin)",
        "http://www.tryporno.net/movies/tsara-brashears/  http://www.pixelrz.com/lists/keywords/tsara-brashears/",
        "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251",
        "https://billpay.stcu.org/csp/ws/ALKAMI-S5M/html/PC_Remote_Role_Due_XP_Help/role1_faq_email_notifications.html  billpay.stcu.org",
        "Malware Behavior Catalog:  Tree Anti-Behavioral Analysis: C0017 Create Thread  \u2022 C0038 Operating System  \u2022 Debugger Detection B0001",
        "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/",
        "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
        "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.",
        "18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
        "Obfuscation: XOR-based String Encryption (0x20)",
        "http://sexiezpics.com/tsara-brashears-hardcore-porn http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
        "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038",
        "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1",
        "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256  fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
        "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
        "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc",
        "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
        "Pending Review.",
        "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690",
        "https://otx.alienvault.com/indicator/ip/185.230.63.186"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "Brian Sabey | Tulach | Sabey Data Centers",
            "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
            "Blind Eagle"
          ],
          "malware_families": [
            "Unix.trojan.mirai-6981169-0",
            "Upackv037dwing",
            "Trojandownloader:win32/nemucod",
            "Trojan.bayrob/lazy",
            "Redline",
            "Noname057",
            "Trojan:win32/neurevt",
            "Pegasus for ios - s0289",
            "Cl0p",
            "Backdoor:win32/fynloski.a",
            "Trojan:win32/zombie.a",
            "Xrat",
            "Blacknet",
            "Pws:win32/qqpass.b!mtb",
            "Malware family: stealthworker / gobrut",
            "Cve-2017-17215",
            "Virus:win32/sivis.a",
            "Tofsee",
            "Win.trojan.installcore-1177",
            "Ddos:linux/gafgyt.ya!mtb",
            "Mal/generic-s",
            "Backdoor:win32/tofsee",
            "Ransom",
            "Win.trojan.sarwent-10012602-0",
            "Win.malware.oxypumper-6900435-0",
            "Artro",
            "Virus:dos/nanjing",
            "Suppobox",
            "Trojanspy:win32/nivdort.cw",
            "Pegasus for android - mob-s0032",
            "Worm:win32/macoute.a",
            "Trojanspy:win32/nivdort",
            "Nircmd",
            "Worm:win32/fesber.a",
            "Win.malware.qshell-9875653-0",
            "Alf:heraklezeval:rogue:win32/fakerean",
            "Sakula rat",
            "Trojan:linux/xorddos",
            "Tel:createscheduledtask",
            "Trojan.agensla/msil",
            "Win32/tofsee.ax",
            "Trojanclicker:win32/ellell.a",
            "Ransom:win32/tescrypt",
            "Bambernek",
            "Softcnapp",
            "Ransomware",
            "Wacatac.",
            "M1",
            "Kraddare",
            "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf",
            "Zeus",
            "Cve-2014-8361",
            "Union",
            "Cryp_xed-12",
            "Networm",
            "Bayrob",
            "Trojan:win32/muldrop",
            "Cve-2023-27350",
            "Emotet",
            "Formbook",
            "Ransom:win32/haperlock.a",
            "Alf:jasyp:trojandownloader:win32/quireap!atmn",
            "Pws:win32/ymacco.aa50",
            "Systweak",
            "Mirai",
            "Win.virus.teslacrypt3-2/custom",
            "Win:zgrat",
            "Tiggre",
            "Zbot",
            "Nids",
            "Ransom:win32/eniqma.a",
            "Ransom:win32/haperlock",
            "Swrort",
            "Fusioncore",
            "Tinba",
            "Trojanspy",
            "Onelouder"
          ],
          "industries": [
            "Ad fraud",
            "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
            "Media"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 50,
  "pulses": [
    {
      "id": "69a02837827feb0b78fa3ad2",
      "name": "The Belasco Chain",
      "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.",
      "modified": "2026-05-31T01:02:14",
      "created": "2026-02-26T11:02:15.932000",
      "tags": [
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "file type",
        "sha1",
        "sha256",
        "crc32",
        "filenames c"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 6,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 2,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 2813,
        "FileHash-SHA1": 2576,
        "FileHash-SHA256": 8145,
        "domain": 1903,
        "hostname": 1502,
        "URL": 1359,
        "email": 46,
        "CVE": 54,
        "CIDR": 3,
        "YARA": 7,
        "JA3": 1,
        "IPv4": 11
      },
      "indicator_count": 18420,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 74,
      "modified_text": "8 hours ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69f30ef4033560d49d39ac55",
      "name": "VirusTotal report\n                    for executable.exe",
      "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
      "modified": "2026-05-30T09:04:01.553000",
      "created": "2026-04-30T08:12:36.771000",
      "tags": [
        "wifi password",
        "joe security",
        "nextron",
        "new run",
        "key pointing",
        "run key",
        "roth",
        "markus neis",
        "sander wiebing",
        "poudel",
        "public",
        "appdata"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1552",
          "name": "Unsecured Credentials",
          "display_name": "T1552 - Unsecured Credentials"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1069,
        "FileHash-SHA1": 868,
        "FileHash-SHA256": 2783,
        "URL": 764,
        "hostname": 756,
        "domain": 293,
        "email": 44,
        "CVE": 44
      },
      "indicator_count": 6621,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69f2dc7e076cbfe2d0f7eb90",
      "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
      "description": "",
      "modified": "2026-05-30T00:28:12.957000",
      "created": "2026-04-30T04:37:18.870000",
      "tags": [
        "united",
        "as397240",
        "search",
        "showing",
        "as54113",
        "as397241",
        "unknown",
        "moved",
        "creation date",
        "record value",
        "next",
        "date",
        "body",
        "a domains",
        "passive dns",
        "formbook cnc",
        "checkin",
        "entries",
        "github pages",
        "sea x",
        "accept",
        "status",
        "name servers",
        "certificate",
        "urls",
        "aaaa",
        "cname",
        "meta",
        "whitelisted ip",
        "address",
        "location united",
        "asn as36459",
        "github",
        "less whois",
        "registrar",
        "markmonitor",
        "related tags",
        "as36459",
        "scan endpoints",
        "all scoreblue",
        "ipv4",
        "pulse pulses",
        "files",
        "ninite",
        "expiration date",
        "domain",
        "hostname",
        "sha256",
        "sha1",
        "ascii text",
        "pattern match",
        "document file",
        "v2 document",
        "utf8",
        "crlf line",
        "beginstring",
        "size",
        "null",
        "hybrid",
        "refresh",
        "span",
        "local",
        "click",
        "strings",
        "error",
        "tools",
        "look",
        "verify",
        "restart",
        "contact",
        "url https",
        "tulach type",
        "role title",
        "added active",
        "pulses url",
        "url http",
        "nextc type",
        "type indicator",
        "related pulses",
        "filehashsha256",
        "copyright",
        "ipv6",
        "germany",
        "italy",
        "trojan",
        "trojanspy",
        "worm",
        "trojanclicker",
        "virtool",
        "service",
        "linux x8664",
        "khtml",
        "gecko",
        "veryhigh",
        "redirect",
        "httpsupgrades",
        "collisionbox",
        "runner",
        "gameoverpanel",
        "trex",
        "orgtechhandle",
        "orgtechref",
        "director",
        "university",
        "nethandle",
        "net168",
        "net1680000",
        "ucha",
        "orgid",
        "east",
        "report spam",
        "as8075",
        "servers",
        "secure server",
        "error all",
        "typeof",
        "error f",
        "crazy doll",
        "created",
        "filehashmd5",
        "types of",
        "russia",
        "emotet type",
        "mirai type",
        "mirai",
        "mtb description",
        "win32 type",
        "as31034 aruba",
        "italy unknown",
        "as19527 google",
        "encrypt",
        "health type",
        "miori hackers",
        "brute force",
        "backdoor",
        "aurora",
        "ip address",
        "path",
        "unis",
        "dotcisoffer",
        "bladabindi",
        "artro",
        "script urls",
        "as46606",
        "brazil unknown",
        "as11284",
        "as10906",
        "apache",
        "lanc type",
        "telper",
        "win32",
        "win64",
        "pulses email",
        "as9009 m247",
        "as7296 alchemy",
        "as14061",
        "as16276",
        "trojandropper",
        "ransom",
        "mtb sep",
        "msie",
        "chrome",
        "ip check",
        "gmt content",
        "pulse submit",
        "url analysis",
        "files ip",
        "aaaa nxdomain",
        "nxdomain",
        "a nxdomain",
        "as22612",
        "dnssec",
        "meta http",
        "accept encoding",
        "request id",
        "united kingdom",
        "div div",
        "arial helvetica",
        "emails",
        "as15169 google",
        "cryp",
        "gmt cache",
        "sameorigin",
        "domain name",
        "code",
        "false",
        "command type",
        "roleselfservice",
        "mcig sep",
        "all search",
        "author avatar",
        "days ago",
        "http",
        "related nids",
        "files location",
        "as30081",
        "gmt contenttype",
        "mozilla",
        "as15133 verizon",
        "whitelisted",
        "meta name",
        "robots content",
        "x ua",
        "ieedge chrome1",
        "incapsula",
        "request",
        "softcnapp",
        "overview ip",
        "flag united",
        "files related",
        "as62597 nsone",
        "as31898 oracle",
        "mtb aug",
        "class",
        "twitter",
        "april",
        "secure",
        "httponly",
        "expiresthu",
        "pragma",
        "as13414 twitter",
        "smoke loader",
        "reverse dns",
        "asnone united",
        "idlogin sep",
        "uid38009",
        "expiration",
        "hack type",
        "porn type"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Italy",
        "Aruba"
      ],
      "malware_families": [
        {
          "id": "Mirai",
          "display_name": "Mirai",
          "target": null
        },
        {
          "id": "Artro",
          "display_name": "Artro",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1096",
          "name": "NTFS File Attributes",
          "display_name": "T1096 - NTFS File Attributes"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1110",
          "name": "Brute Force",
          "display_name": "T1110 - Brute Force"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": "66fc29a49b5ac693c8d75122",
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 3851,
        "FileHash-MD5": 6012,
        "FileHash-SHA1": 5906,
        "domain": 3330,
        "email": 33,
        "hostname": 4231,
        "CVE": 2,
        "FileHash-SHA256": 8407,
        "CIDR": 2,
        "SSLCertFingerprint": 7
      },
      "indicator_count": 31781,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a100da2ce3632643bb34072",
      "name": "Research part 4 * CAPE Sandbox",
      "description": "undefined.",
      "modified": "2026-05-24T05:56:20.777000",
      "created": "2026-05-22T08:02:42.736000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 102,
        "FileHash-MD5": 27,
        "FileHash-SHA1": 3,
        "FileHash-SHA256": 1,
        "URL": 244,
        "domain": 203,
        "hostname": 137,
        "IPv6": 179,
        "email": 10
      },
      "indicator_count": 906,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "7 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69eae966e2994ca9410416e7",
      "name": "CAPE Sandbox - Watson",
      "description": "[full list of details about Akamai, the web hosting company, that has been abused on the internet for more than 20 years.. and the names of its users have been published.] pretext. Watson frequents. wizard8.",
      "modified": "2026-05-24T05:16:16.520000",
      "created": "2026-04-24T03:54:14.835000",
      "tags": [
        "akamai",
        "city",
        "noc united",
        "orgid",
        "akamai ref",
        "net23",
        "net230000",
        "cidr",
        "orgabusehandle",
        "orgtechhandle"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1406",
          "name": "Obfuscated Files or Information",
          "display_name": "T1406 - Obfuscated Files or Information"
        },
        {
          "id": "T1409",
          "name": "Access Stored Application Data",
          "display_name": "T1409 - Access Stored Application Data"
        },
        {
          "id": "T1421",
          "name": "System Network Connections Discovery",
          "display_name": "T1421 - System Network Connections Discovery"
        },
        {
          "id": "T1424",
          "name": "Process Discovery",
          "display_name": "T1424 - Process Discovery"
        },
        {
          "id": "T1426",
          "name": "System Information Discovery",
          "display_name": "T1426 - System Information Discovery"
        },
        {
          "id": "T1430",
          "name": "Location Tracking",
          "display_name": "T1430 - Location Tracking"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 382,
        "FileHash-SHA1": 361,
        "FileHash-SHA256": 1250,
        "URL": 1436,
        "domain": 425,
        "hostname": 783,
        "CIDR": 1,
        "email": 29,
        "CVE": 1,
        "URI": 2
      },
      "indicator_count": 4670,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "7 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a126fcffc60a71dfab01f24",
      "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
      "description": "",
      "modified": "2026-05-24T03:32:22.109000",
      "created": "2026-05-24T03:26:07.144000",
      "tags": [
        "http response",
        "final url",
        "ip address",
        "status code",
        "body length",
        "kb body",
        "sha256",
        "headers",
        "expired",
        "acceptencoding",
        "html info",
        "title home",
        "tags viewport",
        "trackers google",
        "tag manager",
        "gsddf3d2bzf",
        "historical ssl",
        "referrer",
        "december",
        "formbook",
        "round",
        "apple ios",
        "tsara brashears",
        "unlocker",
        "collection",
        "vt graph",
        "socgholish",
        "blister",
        "hacktool",
        "hiddentear",
        "gootloader",
        "agent tesla",
        "crypto",
        "installer",
        "life",
        "malware",
        "open",
        "korplug",
        "tofsee",
        "date",
        "name servers",
        "status",
        "passive dns",
        "urls",
        "scan endpoints",
        "all scoreblue",
        "pulse submit",
        "url analysis",
        "files",
        "no data",
        "tag count",
        "analyzer threat",
        "ip summary",
        "url summary",
        "summary",
        "sample",
        "samples",
        "detection list",
        "heur",
        "cisco umbrella",
        "alexa top",
        "million",
        "site",
        "alexa",
        "maltiverse",
        "xcnfe",
        "safe site",
        "phishing",
        "remcos",
        "malicious",
        "miner",
        "bank",
        "agenttesla",
        "agent",
        "unknown",
        "downloader",
        "unsafe",
        "trojan",
        "detplock",
        "artemis",
        "networm",
        "win64",
        "redline stealer",
        "limerat",
        "venom rat",
        "trojanspy",
        "tld count",
        "png image",
        "jpeg image",
        "rgba",
        "exif standard",
        "tiff image",
        "pattern match",
        "ascii text",
        "united",
        "jfif",
        "sha1",
        "core",
        "general",
        "starfield",
        "hybrid",
        "local",
        "encrypt",
        "click",
        "strings",
        "adobea",
        "daga",
        "as30148 sucuri",
        "td tr",
        "search",
        "span td",
        "as44273 host",
        "creation date",
        "a domains",
        "xtra",
        "meta",
        "back",
        "verdict",
        "domain",
        "aaaa",
        "as15169 google",
        "asnone united",
        "nxdomain",
        "sucuri security",
        "a li",
        "span",
        "class",
        "body",
        "sucuri website",
        "a div",
        "authority",
        "record value",
        "showing",
        "gmt content",
        "x sucuri",
        "high",
        "related pulses",
        "show",
        "guard",
        "entries",
        "win32",
        "west domains",
        "next",
        "ipv4",
        "asnone germany",
        "object",
        "com cnt",
        "dem fin",
        "gov int",
        "nav onl",
        "phy pre",
        "formbook cnc",
        "checkin",
        "found",
        "error",
        "code",
        "create c",
        "read c",
        "delete",
        "write",
        "default",
        "dock",
        "execution",
        "copy",
        "xport",
        "firewall",
        "body doctype",
        "section",
        "dcrat",
        "analyzer paste",
        "iocs",
        "hostnames",
        "url https",
        "blacklist",
        "cl0p ransomware",
        "zbot",
        "malware site",
        "team memscan",
        "cl0p",
        "algorithm",
        "data",
        "v3 serial",
        "number",
        "cus starizona",
        "cngo daddy",
        "g2 validity",
        "subject public",
        "key info",
        "certificate",
        "whois lookup",
        "netrange",
        "nethandle",
        "net192",
        "net1920000",
        "as174",
        "as3257",
        "sucuri",
        "sucur2",
        "verisign",
        "whois database",
        "server",
        "registrar abuse",
        "icann whois",
        "whois status",
        "registrar iana",
        "form",
        "temple",
        "first",
        "android",
        "win32 exe",
        "html",
        "bobby fischer",
        "office open",
        "detections type",
        "name",
        "pdf dealer",
        "price list",
        "pdf my",
        "crime",
        "taiwan unknown",
        "as3462",
        "as131148 bank",
        "as21342",
        "all search",
        "otx scoreblue",
        "pulse pulses",
        "cname",
        "as22612",
        "as43350 nforce",
        "win32upatre jun",
        "expiration date",
        "hostname",
        "lowfi",
        "date hash",
        "avast avg",
        "date checked",
        "url hostname",
        "server response",
        "google safe",
        "results jun",
        "files show",
        "registrar",
        "china unknown",
        "title",
        "network",
        "fakedout threat",
        "urls http",
        "maltiverse safe",
        "malicious url",
        "team",
        "phishtank",
        "services",
        "botnet command",
        "control server",
        "mining",
        "betabot",
        "team malware",
        "engineering",
        "stealer",
        "service",
        "vawtrak",
        "virut",
        "emotet",
        "simda",
        "redline",
        "fri oct",
        "media sharing",
        "known infection source",
        "bot networks",
        "malware",
        "malware repository",
        "spyware"
      ],
      "references": [
        "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
        "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
        "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
        "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
        "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
        "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
        "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
        "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
        "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
        "IP\u2019s Contacted: 192.124.249.187",
        "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
        "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk  antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
        "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
        "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
        "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
        "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "TrojanSpy",
          "display_name": "TrojanSpy",
          "target": null
        },
        {
          "id": "Cl0p",
          "display_name": "Cl0p",
          "target": null
        },
        {
          "id": "RedLine",
          "display_name": "RedLine",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": "6688e0ffb31d4881f3238713",
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 4130,
        "URL": 11958,
        "hostname": 4644,
        "domain": 4304,
        "FileHash-MD5": 2256,
        "FileHash-SHA1": 1161,
        "CVE": 8,
        "SSLCertFingerprint": 20,
        "email": 8,
        "CIDR": 1,
        "IPv6": 4,
        "IPv4": 6
      },
      "indicator_count": 28500,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "7 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a126fcc3620af2edeb95e57",
      "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
      "description": "",
      "modified": "2026-05-24T03:26:04.439000",
      "created": "2026-05-24T03:26:04.439000",
      "tags": [
        "http response",
        "final url",
        "ip address",
        "status code",
        "body length",
        "kb body",
        "sha256",
        "headers",
        "expired",
        "acceptencoding",
        "html info",
        "title home",
        "tags viewport",
        "trackers google",
        "tag manager",
        "gsddf3d2bzf",
        "historical ssl",
        "referrer",
        "december",
        "formbook",
        "round",
        "apple ios",
        "tsara brashears",
        "unlocker",
        "collection",
        "vt graph",
        "socgholish",
        "blister",
        "hacktool",
        "hiddentear",
        "gootloader",
        "agent tesla",
        "crypto",
        "installer",
        "life",
        "malware",
        "open",
        "korplug",
        "tofsee",
        "date",
        "name servers",
        "status",
        "passive dns",
        "urls",
        "scan endpoints",
        "all scoreblue",
        "pulse submit",
        "url analysis",
        "files",
        "no data",
        "tag count",
        "analyzer threat",
        "ip summary",
        "url summary",
        "summary",
        "sample",
        "samples",
        "detection list",
        "heur",
        "cisco umbrella",
        "alexa top",
        "million",
        "site",
        "alexa",
        "maltiverse",
        "xcnfe",
        "safe site",
        "phishing",
        "remcos",
        "malicious",
        "miner",
        "bank",
        "agenttesla",
        "agent",
        "unknown",
        "downloader",
        "unsafe",
        "trojan",
        "detplock",
        "artemis",
        "networm",
        "win64",
        "redline stealer",
        "limerat",
        "venom rat",
        "trojanspy",
        "tld count",
        "png image",
        "jpeg image",
        "rgba",
        "exif standard",
        "tiff image",
        "pattern match",
        "ascii text",
        "united",
        "jfif",
        "sha1",
        "core",
        "general",
        "starfield",
        "hybrid",
        "local",
        "encrypt",
        "click",
        "strings",
        "adobea",
        "daga",
        "as30148 sucuri",
        "td tr",
        "search",
        "span td",
        "as44273 host",
        "creation date",
        "a domains",
        "xtra",
        "meta",
        "back",
        "verdict",
        "domain",
        "aaaa",
        "as15169 google",
        "asnone united",
        "nxdomain",
        "sucuri security",
        "a li",
        "span",
        "class",
        "body",
        "sucuri website",
        "a div",
        "authority",
        "record value",
        "showing",
        "gmt content",
        "x sucuri",
        "high",
        "related pulses",
        "show",
        "guard",
        "entries",
        "win32",
        "west domains",
        "next",
        "ipv4",
        "asnone germany",
        "object",
        "com cnt",
        "dem fin",
        "gov int",
        "nav onl",
        "phy pre",
        "formbook cnc",
        "checkin",
        "found",
        "error",
        "code",
        "create c",
        "read c",
        "delete",
        "write",
        "default",
        "dock",
        "execution",
        "copy",
        "xport",
        "firewall",
        "body doctype",
        "section",
        "dcrat",
        "analyzer paste",
        "iocs",
        "hostnames",
        "url https",
        "blacklist",
        "cl0p ransomware",
        "zbot",
        "malware site",
        "team memscan",
        "cl0p",
        "algorithm",
        "data",
        "v3 serial",
        "number",
        "cus starizona",
        "cngo daddy",
        "g2 validity",
        "subject public",
        "key info",
        "certificate",
        "whois lookup",
        "netrange",
        "nethandle",
        "net192",
        "net1920000",
        "as174",
        "as3257",
        "sucuri",
        "sucur2",
        "verisign",
        "whois database",
        "server",
        "registrar abuse",
        "icann whois",
        "whois status",
        "registrar iana",
        "form",
        "temple",
        "first",
        "android",
        "win32 exe",
        "html",
        "bobby fischer",
        "office open",
        "detections type",
        "name",
        "pdf dealer",
        "price list",
        "pdf my",
        "crime",
        "taiwan unknown",
        "as3462",
        "as131148 bank",
        "as21342",
        "all search",
        "otx scoreblue",
        "pulse pulses",
        "cname",
        "as22612",
        "as43350 nforce",
        "win32upatre jun",
        "expiration date",
        "hostname",
        "lowfi",
        "date hash",
        "avast avg",
        "date checked",
        "url hostname",
        "server response",
        "google safe",
        "results jun",
        "files show",
        "registrar",
        "china unknown",
        "title",
        "network",
        "fakedout threat",
        "urls http",
        "maltiverse safe",
        "malicious url",
        "team",
        "phishtank",
        "services",
        "botnet command",
        "control server",
        "mining",
        "betabot",
        "team malware",
        "engineering",
        "stealer",
        "service",
        "vawtrak",
        "virut",
        "emotet",
        "simda",
        "redline",
        "fri oct",
        "media sharing",
        "known infection source",
        "bot networks",
        "malware",
        "malware repository",
        "spyware"
      ],
      "references": [
        "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
        "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
        "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
        "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
        "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
        "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
        "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
        "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
        "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
        "IP\u2019s Contacted: 192.124.249.187",
        "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
        "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk  antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
        "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
        "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
        "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
        "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "TrojanSpy",
          "display_name": "TrojanSpy",
          "target": null
        },
        {
          "id": "Cl0p",
          "display_name": "Cl0p",
          "target": null
        },
        {
          "id": "RedLine",
          "display_name": "RedLine",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": "6688e0ffb31d4881f3238713",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 4080,
        "URL": 11952,
        "hostname": 4638,
        "domain": 4301,
        "FileHash-MD5": 2236,
        "FileHash-SHA1": 1140,
        "CVE": 8,
        "SSLCertFingerprint": 20,
        "email": 8,
        "CIDR": 1
      },
      "indicator_count": 28384,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "7 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a0ff878b8d1717e395e0d0a",
      "name": "Research part 4 * CAPE Sandbox",
      "description": "A Cuckoo has been running on a KVM operating system for the next two years. \u00c2\u00a31.5m.. and   \u00e2\u201a\u00ac1m",
      "modified": "2026-05-23T03:58:21.402000",
      "created": "2026-05-22T06:32:24.666000",
      "tags": [
        "default",
        "nothing",
        "file execution",
        "registry keys",
        "inprocserver32",
        "server",
        "parent pid",
        "full path",
        "command line",
        "files c",
        "cname",
        "accept",
        "ip address",
        "cape sandbox",
        "found",
        "center",
        "http",
        "port",
        "shutdown",
        "title",
        "performs dns",
        "mitre attack",
        "network info",
        "processes extra",
        "sigma",
        "t1055 process",
        "overview",
        "overview zenbox",
        "verdict",
        "guest system",
        "defense evasion",
        "next",
        "win1",
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "acrongl integ",
        "adc4240758",
        "angsana new",
        "bootkit",
        "back",
        "p2404",
        "host",
        "cultureneutral",
        "p11750170564",
        "shell folders",
        "systemroot",
        "gmt range",
        "guard",
        "pe file",
        "file type",
        "creates",
        "extra info",
        "sample",
        "contains",
        "aslr",
        "binary",
        "command",
        "malicious"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/91031d16ab93fe5d7f8dc7a55b4bbb8e23742c774ad467f67e2e1681e5439fb9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431033&Signature=tDkjksSltx3F6MPqpr8Xf%2BIAVxBBNNTifbGimbXIX5DCrLCZugVQF%2B7kCV%2BJ3RQ1lKt1eMcfTaQ3FUvgjt7%2F3uEgdHY390sywG9OdYe2HZMJHg%2BYNxsAIe8n7UIa22pLVZNqhDSymVa0VyJAEZb8B2t7gNdGsBLQKQ7GyJ2iYAz4NklXYQPVUZoWObKt0eggHoV3wJUWM%2BQKxWSnPP6HQ8wusnitHIEqxdfckeRTMZR9zlIg31",
        "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431302&Signature=VN0Lo6N8srKzgIyGy%2B2YBOQ%2BngCQJsbj8jycOiDUs3CpGIyP8pZyyC326od%2FfI41dky2kAUXq4L2f1AHLLukNksIcompwOACdBTaq%2B6r%2FyNhhrsOVLiVCA4wkuZX%2Bjz5eRA8KhG7BcGA1Z8ERy3OYr1b5gS4cUton8nwnqvSE7ZH6dFOkbdhFiX%2FwmTQbOzFCCqJWT0%2FJJZQaXyWSitlkG3IN8RyMOUpjxyT9fwh51%2FT",
        "https://vtbehaviour.commondatastorage.googleapis.com/f26944950ccf7fd4422662d575c0b3698670e1b19d76fe386c20058ea4ea991f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431338&Signature=FoZZNyxGwBJKtHZSxcj9EHaeRdEMbmfNE6I04ld5vuYz8v2b9G%2Bwt0JlXl6N1uR2a9k4YqZln0HWuPEsYhjLjy3e465eqqg1UIPsLLqvH%2BmT7ox8n7TU%2B54qFOkQtrqoj3cO%2BSeZXnlXHOzxx9rdozltX%2FZ%2BOw1i5z%2FzvLy%2FlI3NhUcyIPbiD3yhM6DqHS%2Fyt7x5bhd5cz18yhPyQq7CNoW%2Fx%2B5aj4d6lWRgPVoBfaoqi33C",
        "https://vtbehaviour.commondatastorage.googleapis.com/c915c30bfba565e05ccdea80427ffcba415831161e38e81eccbc893e8eb0bf83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431449&Signature=PDRco%2B36G08WhkVripJBX%2FKsew%2Fqdtv%2BE4v4qZ%2BxTtqIWv%2BbUShaZJk4oroxSc0hAtyIuEAY0Fl7s%2FjNS%2FYPoQ1iU9EMWYaxvd0Sl1%2F%2BEc%2Foq9dc3YP5F0muq56mEXdREOlePA54%2BObbmwRbWR4mwAkK%2FuAkYzpAtJKkLJRZ6GQ0sbyCC5VdaAT3OMhtFkTKCtx5Wk2ZTdGZT5ASe3hD4xmg219rX3t5uV8j",
        "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431564&Signature=x%2BpjgWuHJOMK96wkAkxWnO%2BvWXDtko8QpNc0JQs9qrmHA1DtI9OB1F4jxixqRaySdJpP0JpTJK%2BRxE8sVad9wh3wtqgIhtbiihOX2%2FXHa7ukyAZOuMkh8fVLwIUVkxrObXKFDv8CiRAzdRemUPxSH%2FYmbOPY2eYs7UbUQp%2B93VYGCAMTuaztTey%2F1T8DM1tWLfxE5nKn3j7VigVpXMi8228oo%2B7ofaOVz3A%2FZKMZ1gKD",
        "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431586&Signature=mg5jUjSQG5fVQ2idj9wgQGE6D7neQXnBJ4xAD50pgEFgszvmZvrLrvz5RjR00uX4f7Gs2afv8MUs272SCXfylMEo1EhlVujdxecw4%2Ftn9jdYUfSDpqu0quw4dkL1YXviPoAcCJLaKrrvBsQMT468PPk4VwiDZbq2JNrZZwt1qXHmZFe3X5CHabJJE0ORZBwBH0jMYUE%2BWIvGzkZ%2Bul4ufi3xgsgA%2BoN0jUlIddwaoZA4eQeYVlQ388DLeonSjl"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1033",
          "name": "System Owner/User Discovery",
          "display_name": "T1033 - System Owner/User Discovery"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1203",
          "name": "Exploitation for Client Execution",
          "display_name": "T1203 - Exploitation for Client Execution"
        },
        {
          "id": "T1485",
          "name": "Data Destruction",
          "display_name": "T1485 - Data Destruction"
        },
        {
          "id": "T1496",
          "name": "Resource Hijacking",
          "display_name": "T1496 - Resource Hijacking"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1542",
          "name": "Pre-OS Boot",
          "display_name": "T1542 - Pre-OS Boot"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1564",
          "name": "Hide Artifacts",
          "display_name": "T1564 - Hide Artifacts"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 194,
        "FileHash-SHA1": 212,
        "FileHash-SHA256": 412,
        "IPv4": 297,
        "URL": 840,
        "domain": 343,
        "hostname": 541,
        "CIDR": 6,
        "email": 23,
        "IPv6": 176,
        "CVE": 4
      },
      "indicator_count": 3048,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "8 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a101c7ae1db7f51d289dda5",
      "name": "Credit: scoreblue [RVA Entry | Apple remote unlocking| Emotet | Redline] clone",
      "description": "",
      "modified": "2026-05-22T09:06:02.865000",
      "created": "2026-05-22T09:06:02.865000",
      "tags": [
        "ssl certificate",
        "whois record",
        "historical ssl",
        "resolutions",
        "referrer",
        "communicating",
        "siblings",
        "file",
        "hell",
        "lenovo tablet",
        "name servers",
        "as714 apple",
        "united",
        "creation date",
        "search",
        "servers",
        "date",
        "moved",
        "certificate",
        "passive dns",
        "body",
        "historical",
        "collections",
        "contacted",
        "strange",
        "no data",
        "tag count",
        "threat report",
        "ip summary",
        "url summary",
        "summary",
        "sample",
        "samples",
        "detection list",
        "blacklist",
        "blacklist http",
        "cisco umbrella",
        "site",
        "safe site",
        "alexa top",
        "malicious site",
        "malware site",
        "phishing site",
        "million",
        "malware",
        "http attacker",
        "ip address",
        "algorithm",
        "v3 serial",
        "number",
        "ist ca",
        "g1 validity",
        "public key",
        "info",
        "key algorithm",
        "ec oid",
        "key identifier",
        "first",
        "team alexa",
        "downloader",
        "wed apr",
        "alexa",
        "pony",
        "name verdict",
        "pattern match",
        "et tor",
        "known tor",
        "relayrouter",
        "exit",
        "node traffic",
        "misc attack",
        "script",
        "beginstring",
        "mitre att",
        "null",
        "unknown",
        "span",
        "error",
        "class",
        "generator",
        "critical",
        "meta",
        "hybrid",
        "general",
        "local",
        "click",
        "strings",
        "refresh",
        "tools",
        "malicious url",
        "hostname",
        "hostnames",
        "phishing",
        "union",
        "team",
        "bank",
        "unsafe",
        "spammer",
        "node tcp",
        "traffic",
        "attacker",
        "tor known",
        "tor relayrouter",
        "jul jan",
        "mon sep",
        "heur",
        "artemis",
        "iframe",
        "conduit",
        "crack",
        "riskware",
        "opencandy",
        "cleaner",
        "exploit",
        "downldr",
        "presenoker",
        "wacatac",
        "agent",
        "fusioncore",
        "applicunwnt",
        "acint",
        "nircmd",
        "swrort",
        "systweak",
        "behav",
        "tiggre",
        "genkryptik",
        "filetour",
        "generic",
        "patcher",
        "driverpack",
        "xtrat",
        "softcnapp",
        "cyber threat",
        "dns server",
        "http spammer",
        "host",
        "download",
        "asyncrat",
        "cobalt strike",
        "apple",
        "urls http",
        "368600",
        "320700",
        "dc1542721039132",
        "subdomains",
        "noname057",
        "tld count",
        "urls",
        "blacklist https",
        "engineering",
        "singapore",
        "phishtank",
        "suppobox",
        "bambernek",
        "facebook",
        "zbot",
        "malicious",
        "zeus",
        "emotet",
        "ransomware",
        "nymaim",
        "redline stealer",
        "service",
        "virut",
        "kraken",
        "keybase",
        "stealer",
        "hawkeye",
        "tinba",
        "mirai",
        "nanocore",
        "bradesco",
        "cve201711882",
        "ip detections",
        "country",
        "83500",
        "1602192580242",
        "1602192586217",
        "blog",
        "1602192588844",
        "1602192624796",
        "303300",
        "vhash",
        "authentihash",
        "ssdeep",
        "file type",
        "win32 exe",
        "magic pe32",
        "ms windows",
        "intel",
        "trid windows",
        "control panel",
        "file version",
        "copyright",
        "product",
        "description",
        "original name",
        "internal name",
        "rticon neutral",
        "chi2",
        "contained",
        "details module",
        "version id",
        "typelib id",
        "header target",
        "machine intel",
        "utc entry",
        "point",
        "count blacklist",
        "tag tag",
        "dot net",
        "assembly common",
        "clr version",
        "assembly name",
        "address",
        "assembly",
        "rva entry",
        "streams size",
        "entropy chi2",
        "guid",
        "applenoc",
        "showing",
        "record value",
        "scan endpoints",
        "all search",
        "as20940",
        "as16625 akamai",
        "status",
        "cname",
        "china",
        "as136907 huawei",
        "nanjing",
        "as2914 ntt",
        "america",
        "as7843 charter",
        "as6461 zayo",
        "domain",
        "p155-fmfmobile.icloud.com",
        "t-mobile",
        "metro t-mobile",
        "metro",
        "metroby",
        "social engineering",
        "happywifehappylife",
        "bot",
        "darknet service",
        "tsara brashears",
        "jeffrey reimer",
        "pixelrz",
        "yandex",
        "cp",
        "cyber",
        "red team",
        "framing",
        "qwest",
        "cybercrime",
        "cyber threat",
        "sha256",
        "runtime process",
        "sha1",
        "size",
        "windows nt",
        "indicator",
        "svg scalable",
        "accept",
        "unis",
        "buttons",
        "overwrite",
        "format",
        "spyware",
        "heodo",
        "fri nov",
        "installcore",
        "installpack",
        "win64",
        "fakealert",
        "dropper",
        "fakeinstaller",
        "spyrixkeylogger",
        "bitminer",
        "loadmoney",
        "dapato",
        "networm",
        "mediaget",
        "softonic",
        "trojan",
        "encpk",
        "qbot",
        "predator",
        "kraddare",
        "iobit",
        "dllinject",
        "psexec",
        "occamy",
        "brontok",
        "zpevdo",
        "startpage",
        "keygen",
        "fareit",
        "secrisk",
        "unruy",
        "floxif",
        "adload",
        "et cins",
        "active threat",
        "reputation ip",
        "threats et",
        "cins active",
        "poor reputation",
        "ip tcp",
        "privacy admin",
        "privacy tech",
        "com laude",
        "redacted for",
        "server",
        "priority",
        "email",
        "organization",
        "city",
        "cnapple public",
        "server rsa",
        "stcalifornia",
        "cnapple ist",
        "identity search",
        "group",
        "issuer criteria",
        "type",
        "ilike search",
        "id logged",
        "valid",
        "no no",
        "no na",
        "ip security",
        "apple",
        "limited",
        "ca id",
        "lsalford",
        "ocomodo ca",
        "code signing",
        "mozilla",
        "android",
        "memory checks",
        "dotnet_encrypted",
        "multi family rat detection",
        "malware_win_zgrat"
      ],
      "references": [
        "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
        "p155-fmfmobile.icloud.com",
        "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com'  monitoring targeted apple device\u2193",
        "developer.huawei.com",
        "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
        "http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
        "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
        "fmfmobile.fe.apple-dns.net",
        "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
        "http://notredamewormhoutnet.appleid.com/",
        "news-publisher.pictures",
        "applestore.net",
        "airinthemorning.net",
        "http://certs.apple.com/appleistca2g1_bc.cer",
        "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
        "https://dc-mx.d3525d602ca2.pixelrz.com",
        "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
        "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
        "http://pixelrz.com/lists/keywords/tsara-brashears-dead    (unconfirmed death)",
        "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/    (unconfirmed crime)",
        "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/   (confirmed transactional agreement)",
        "http://pixelrz.com/lists/suggestions/rs485-arduino/",
        "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/  ( badgering. libel)",
        "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer  (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
        "http://hidden-camera-public-nudity.tubesporno.com  (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
        "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
        "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
        "Resource: https://crt.sh/?q=privaterelay.appleid.com",
        "\u2193Command and Control \u2193",
        "CNC IPv4:  107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
        "CNC Hostname:  urlspirit.spiritsoft.cn",
        "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022  52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
        "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
        "Resource: https://urlscan.io/domain/privaterelay.appleid.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Emotet",
          "display_name": "Emotet",
          "target": null
        },
        {
          "id": "Systweak",
          "display_name": "Systweak",
          "target": null
        },
        {
          "id": "Swrort",
          "display_name": "Swrort",
          "target": null
        },
        {
          "id": "Tinba",
          "display_name": "Tinba",
          "target": null
        },
        {
          "id": "XRat",
          "display_name": "XRat",
          "target": null
        },
        {
          "id": "Zbot",
          "display_name": "Zbot",
          "target": null
        },
        {
          "id": "Zeus",
          "display_name": "Zeus",
          "target": null
        },
        {
          "id": "Tiggre",
          "display_name": "Tiggre",
          "target": null
        },
        {
          "id": "FusionCore",
          "display_name": "FusionCore",
          "target": null
        },
        {
          "id": "Redline",
          "display_name": "Redline",
          "target": null
        },
        {
          "id": "Virus:DOS/Nanjing",
          "display_name": "Virus:DOS/Nanjing",
          "target": "/malware/Virus:DOS/Nanjing"
        },
        {
          "id": "nircmd",
          "display_name": "nircmd",
          "target": null
        },
        {
          "id": "noname057",
          "display_name": "noname057",
          "target": null
        },
        {
          "id": "BlackNET",
          "display_name": "BlackNET",
          "target": null
        },
        {
          "id": "SuppoBox",
          "display_name": "SuppoBox",
          "target": null
        },
        {
          "id": "Softcnapp",
          "display_name": "Softcnapp",
          "target": null
        },
        {
          "id": "Union",
          "display_name": "Union",
          "target": null
        },
        {
          "id": "Bambernek",
          "display_name": "Bambernek",
          "target": null
        },
        {
          "id": "Kraddare",
          "display_name": "Kraddare",
          "target": null
        },
        {
          "id": "Networm",
          "display_name": "Networm",
          "target": null
        },
        {
          "id": "trojan.agensla/msil",
          "display_name": "trojan.agensla/msil",
          "target": null
        },
        {
          "id": "Win:ZGRAT",
          "display_name": "Win:ZGRAT",
          "target": null
        },
        {
          "id": "Wacatac.",
          "display_name": "Wacatac.",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1583.005",
          "name": "Botnet",
          "display_name": "T1583.005 - Botnet"
        },
        {
          "id": "T1016",
          "name": "System Network Configuration Discovery",
          "display_name": "T1016 - System Network Configuration Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1071.003",
          "name": "Mail Protocols",
          "display_name": "T1071.003 - Mail Protocols"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "656a9718ac97804d782cc16b",
      "export_count": 3,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1220,
        "FileHash-SHA1": 613,
        "FileHash-SHA256": 5010,
        "URL": 13617,
        "hostname": 3699,
        "domain": 2783,
        "email": 11,
        "CVE": 23,
        "CIDR": 2
      },
      "indicator_count": 26978,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "9 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a101c79879732a433f4bd41",
      "name": "Credit: scoreblue [RVA Entry | Apple remote unlocking| Emotet | Redline] clone",
      "description": "",
      "modified": "2026-05-22T09:06:01.013000",
      "created": "2026-05-22T09:06:01.013000",
      "tags": [
        "ssl certificate",
        "whois record",
        "historical ssl",
        "resolutions",
        "referrer",
        "communicating",
        "siblings",
        "file",
        "hell",
        "lenovo tablet",
        "name servers",
        "as714 apple",
        "united",
        "creation date",
        "search",
        "servers",
        "date",
        "moved",
        "certificate",
        "passive dns",
        "body",
        "historical",
        "collections",
        "contacted",
        "strange",
        "no data",
        "tag count",
        "threat report",
        "ip summary",
        "url summary",
        "summary",
        "sample",
        "samples",
        "detection list",
        "blacklist",
        "blacklist http",
        "cisco umbrella",
        "site",
        "safe site",
        "alexa top",
        "malicious site",
        "malware site",
        "phishing site",
        "million",
        "malware",
        "http attacker",
        "ip address",
        "algorithm",
        "v3 serial",
        "number",
        "ist ca",
        "g1 validity",
        "public key",
        "info",
        "key algorithm",
        "ec oid",
        "key identifier",
        "first",
        "team alexa",
        "downloader",
        "wed apr",
        "alexa",
        "pony",
        "name verdict",
        "pattern match",
        "et tor",
        "known tor",
        "relayrouter",
        "exit",
        "node traffic",
        "misc attack",
        "script",
        "beginstring",
        "mitre att",
        "null",
        "unknown",
        "span",
        "error",
        "class",
        "generator",
        "critical",
        "meta",
        "hybrid",
        "general",
        "local",
        "click",
        "strings",
        "refresh",
        "tools",
        "malicious url",
        "hostname",
        "hostnames",
        "phishing",
        "union",
        "team",
        "bank",
        "unsafe",
        "spammer",
        "node tcp",
        "traffic",
        "attacker",
        "tor known",
        "tor relayrouter",
        "jul jan",
        "mon sep",
        "heur",
        "artemis",
        "iframe",
        "conduit",
        "crack",
        "riskware",
        "opencandy",
        "cleaner",
        "exploit",
        "downldr",
        "presenoker",
        "wacatac",
        "agent",
        "fusioncore",
        "applicunwnt",
        "acint",
        "nircmd",
        "swrort",
        "systweak",
        "behav",
        "tiggre",
        "genkryptik",
        "filetour",
        "generic",
        "patcher",
        "driverpack",
        "xtrat",
        "softcnapp",
        "cyber threat",
        "dns server",
        "http spammer",
        "host",
        "download",
        "asyncrat",
        "cobalt strike",
        "apple",
        "urls http",
        "368600",
        "320700",
        "dc1542721039132",
        "subdomains",
        "noname057",
        "tld count",
        "urls",
        "blacklist https",
        "engineering",
        "singapore",
        "phishtank",
        "suppobox",
        "bambernek",
        "facebook",
        "zbot",
        "malicious",
        "zeus",
        "emotet",
        "ransomware",
        "nymaim",
        "redline stealer",
        "service",
        "virut",
        "kraken",
        "keybase",
        "stealer",
        "hawkeye",
        "tinba",
        "mirai",
        "nanocore",
        "bradesco",
        "cve201711882",
        "ip detections",
        "country",
        "83500",
        "1602192580242",
        "1602192586217",
        "blog",
        "1602192588844",
        "1602192624796",
        "303300",
        "vhash",
        "authentihash",
        "ssdeep",
        "file type",
        "win32 exe",
        "magic pe32",
        "ms windows",
        "intel",
        "trid windows",
        "control panel",
        "file version",
        "copyright",
        "product",
        "description",
        "original name",
        "internal name",
        "rticon neutral",
        "chi2",
        "contained",
        "details module",
        "version id",
        "typelib id",
        "header target",
        "machine intel",
        "utc entry",
        "point",
        "count blacklist",
        "tag tag",
        "dot net",
        "assembly common",
        "clr version",
        "assembly name",
        "address",
        "assembly",
        "rva entry",
        "streams size",
        "entropy chi2",
        "guid",
        "applenoc",
        "showing",
        "record value",
        "scan endpoints",
        "all search",
        "as20940",
        "as16625 akamai",
        "status",
        "cname",
        "china",
        "as136907 huawei",
        "nanjing",
        "as2914 ntt",
        "america",
        "as7843 charter",
        "as6461 zayo",
        "domain",
        "p155-fmfmobile.icloud.com",
        "t-mobile",
        "metro t-mobile",
        "metro",
        "metroby",
        "social engineering",
        "happywifehappylife",
        "bot",
        "darknet service",
        "tsara brashears",
        "jeffrey reimer",
        "pixelrz",
        "yandex",
        "cp",
        "cyber",
        "red team",
        "framing",
        "qwest",
        "cybercrime",
        "cyber threat",
        "sha256",
        "runtime process",
        "sha1",
        "size",
        "windows nt",
        "indicator",
        "svg scalable",
        "accept",
        "unis",
        "buttons",
        "overwrite",
        "format",
        "spyware",
        "heodo",
        "fri nov",
        "installcore",
        "installpack",
        "win64",
        "fakealert",
        "dropper",
        "fakeinstaller",
        "spyrixkeylogger",
        "bitminer",
        "loadmoney",
        "dapato",
        "networm",
        "mediaget",
        "softonic",
        "trojan",
        "encpk",
        "qbot",
        "predator",
        "kraddare",
        "iobit",
        "dllinject",
        "psexec",
        "occamy",
        "brontok",
        "zpevdo",
        "startpage",
        "keygen",
        "fareit",
        "secrisk",
        "unruy",
        "floxif",
        "adload",
        "et cins",
        "active threat",
        "reputation ip",
        "threats et",
        "cins active",
        "poor reputation",
        "ip tcp",
        "privacy admin",
        "privacy tech",
        "com laude",
        "redacted for",
        "server",
        "priority",
        "email",
        "organization",
        "city",
        "cnapple public",
        "server rsa",
        "stcalifornia",
        "cnapple ist",
        "identity search",
        "group",
        "issuer criteria",
        "type",
        "ilike search",
        "id logged",
        "valid",
        "no no",
        "no na",
        "ip security",
        "apple",
        "limited",
        "ca id",
        "lsalford",
        "ocomodo ca",
        "code signing",
        "mozilla",
        "android",
        "memory checks",
        "dotnet_encrypted",
        "multi family rat detection",
        "malware_win_zgrat"
      ],
      "references": [
        "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
        "p155-fmfmobile.icloud.com",
        "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com'  monitoring targeted apple device\u2193",
        "developer.huawei.com",
        "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
        "http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
        "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
        "fmfmobile.fe.apple-dns.net",
        "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
        "http://notredamewormhoutnet.appleid.com/",
        "news-publisher.pictures",
        "applestore.net",
        "airinthemorning.net",
        "http://certs.apple.com/appleistca2g1_bc.cer",
        "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
        "https://dc-mx.d3525d602ca2.pixelrz.com",
        "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
        "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
        "http://pixelrz.com/lists/keywords/tsara-brashears-dead    (unconfirmed death)",
        "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/    (unconfirmed crime)",
        "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/   (confirmed transactional agreement)",
        "http://pixelrz.com/lists/suggestions/rs485-arduino/",
        "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/  ( badgering. libel)",
        "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer  (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
        "http://hidden-camera-public-nudity.tubesporno.com  (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
        "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
        "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
        "Resource: https://crt.sh/?q=privaterelay.appleid.com",
        "\u2193Command and Control \u2193",
        "CNC IPv4:  107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
        "CNC Hostname:  urlspirit.spiritsoft.cn",
        "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022  52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
        "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
        "Resource: https://urlscan.io/domain/privaterelay.appleid.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Emotet",
          "display_name": "Emotet",
          "target": null
        },
        {
          "id": "Systweak",
          "display_name": "Systweak",
          "target": null
        },
        {
          "id": "Swrort",
          "display_name": "Swrort",
          "target": null
        },
        {
          "id": "Tinba",
          "display_name": "Tinba",
          "target": null
        },
        {
          "id": "XRat",
          "display_name": "XRat",
          "target": null
        },
        {
          "id": "Zbot",
          "display_name": "Zbot",
          "target": null
        },
        {
          "id": "Zeus",
          "display_name": "Zeus",
          "target": null
        },
        {
          "id": "Tiggre",
          "display_name": "Tiggre",
          "target": null
        },
        {
          "id": "FusionCore",
          "display_name": "FusionCore",
          "target": null
        },
        {
          "id": "Redline",
          "display_name": "Redline",
          "target": null
        },
        {
          "id": "Virus:DOS/Nanjing",
          "display_name": "Virus:DOS/Nanjing",
          "target": "/malware/Virus:DOS/Nanjing"
        },
        {
          "id": "nircmd",
          "display_name": "nircmd",
          "target": null
        },
        {
          "id": "noname057",
          "display_name": "noname057",
          "target": null
        },
        {
          "id": "BlackNET",
          "display_name": "BlackNET",
          "target": null
        },
        {
          "id": "SuppoBox",
          "display_name": "SuppoBox",
          "target": null
        },
        {
          "id": "Softcnapp",
          "display_name": "Softcnapp",
          "target": null
        },
        {
          "id": "Union",
          "display_name": "Union",
          "target": null
        },
        {
          "id": "Bambernek",
          "display_name": "Bambernek",
          "target": null
        },
        {
          "id": "Kraddare",
          "display_name": "Kraddare",
          "target": null
        },
        {
          "id": "Networm",
          "display_name": "Networm",
          "target": null
        },
        {
          "id": "trojan.agensla/msil",
          "display_name": "trojan.agensla/msil",
          "target": null
        },
        {
          "id": "Win:ZGRAT",
          "display_name": "Win:ZGRAT",
          "target": null
        },
        {
          "id": "Wacatac.",
          "display_name": "Wacatac.",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1583.005",
          "name": "Botnet",
          "display_name": "T1583.005 - Botnet"
        },
        {
          "id": "T1016",
          "name": "System Network Configuration Discovery",
          "display_name": "T1016 - System Network Configuration Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1071.003",
          "name": "Mail Protocols",
          "display_name": "T1071.003 - Mail Protocols"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "656a9718ac97804d782cc16b",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1220,
        "FileHash-SHA1": 613,
        "FileHash-SHA256": 5010,
        "URL": 13617,
        "hostname": 3699,
        "domain": 2783,
        "email": 11,
        "CVE": 23,
        "CIDR": 2
      },
      "indicator_count": 26978,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "9 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "appspot.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "appspot.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780221715.2319372
}