{ "type": "Domain", "indicator": "asahi.chat", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/asahi.chat", "alexa": "http://www.alexa.com/siteinfo/asahi.chat", "indicator": "asahi.chat", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4055537945, "indicator": "asahi.chat", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "6a0a062736db89f7c827b1d4", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:58.595000", "created": "2026-05-17T18:17:11.966000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 301, "FileHash-SHA1": 313, "FileHash-SHA256": 774, "URL": 667, "IPv4": 241, "domain": 205, "hostname": 612, "email": 5, "IPv6": 2, "CIDR": 1, "CVE": 23, "JA3": 1 }, "indicator_count": 3145, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a06582d0722271a4599d7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:57.618000", "created": "2026-05-17T18:18:00.792000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065b8e1ccb825970a9e5", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:56.390000", "created": "2026-05-17T18:18:03.742000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065be823d8e9966e18ce", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:55.117000", "created": "2026-05-17T18:18:03.751000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065d1177dadd6522914f", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:54.028000", "created": "2026-05-17T18:18:05.783000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065ebc76096529b575c7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:52.618000", "created": "2026-05-17T18:18:06.287000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b53626be41dfe6834d2e4", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:57:18.461000", "created": "2026-05-18T17:58:58.565000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a0e71af8047801da346a8", "name": "Credit: Skocherhan \"gh0st shadows\" clone [ty sk]", "description": "", "modified": "2026-05-20T08:57:02.834000", "created": "2026-05-17T18:52:33.147000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6a09f8a35ce1c4ed81629523", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 520, "hostname": 534, "URL": 487, "IPv4": 17, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "CIDR": 2, "email": 2 }, "indicator_count": 1586, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b5364337dfd91041f4d22", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:56:56.059000", "created": "2026-05-18T17:59:00.842000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b535b1d8235c877c4fc81", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:52:51.376000", "created": "2026-05-18T17:58:51.398000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 117 }, "indicator_count": 863, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a09f8a35ce1c4ed81629523", "name": "gh0st shadows", "description": "msudosos, have a look", "modified": "2026-05-17T17:19:31.602000", "created": "2026-05-17T17:19:31.602000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 342, "hostname": 405, "URL": 437 }, "indicator_count": 1184, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a09f17097a702a842737b52", "name": "China", "description": "", "modified": "2026-05-17T16:48:48.825000", "created": "2026-05-17T16:48:48.825000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 307, "hostname": 192 }, "indicator_count": 499, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "114.114.114.114", "master.cf", "bashrc_Apple_Terminal", "transport", "dbi_sql.h", "crashes.csv", "dbivport.h", "bashrc", "x86_64-apple-ios-macabi.swiftinterface", "interfaceDetails.csv", "sharingPreferences.csv", "APConfigurationSystem.tbd", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "disk_structure.txt", "networks", "AppleFirmwareUpdate.tbd", "nfs.conf", "generic", "pf.os", "find.codes", "security_status.txt", "systemInfo.csv", "LDAP.tbd", "content-negotiation.html", "kern_loader.conf", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "convenience.map", "zprofile", "launchD.csv", "user_launchagents.txt", "arm64e-apple-macos.swiftinterface", "MCPeerID.h", "MultipeerConnectivity.tbd", "process_list.txt", "auto_home", "diskEncryption.csv", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "dbixs_rev.h", "mounts.csv", "rc.netboot", "locate.rc", "module.modulemap", "MCBrowserViewController.h", "resolv.conf", "MultipeerConnectivity.h", "kernel.csv", "command_args.json", "interfaceAddrs.csv", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "asl.conf", "access", "version.plist", "bounce.cf.default", "relocated", "master.cf.default", "MultipeerConnectivity.apinotes", "MCAdvertiserAssistant.h", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "zshrc", "CodeResources", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "certificates.csv", "postfix-files", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "custom_header_checks", "custom-error.html", "Driver_xst.h", "virtual", "MCSession.h", "newsyslog.conf", "LICENSE", "applications.csv", "Info.plist", "arm64e-apple-ios-macabi.swiftinterface", "AOSKit.tbd", "kexts.txt", "dbd_xsh.h", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "BUILDING", "rtadvd.conf", "sipConfig.csv", "gettytab", "passwd", "ftpusers", "afpovertcp.cfg", "canonical", "sudo_lecture", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "auto_master", "pf.conf", "zshrc_Apple_Terminal", "systemControls.csv", "ttys", "main.cf.default", "master.cf.proto", "DBIXS.h", "mail.rc", "battery.csv", "main.cf", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U", "TLS_LICENSE", "launchagents.txt", "ldap.h", "irbrc", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed", "hook_op_check.h", "MCNearbyServiceBrowser.h", "protocols", "AirPlayReceiver.tbd", "ntp_opendirectory.conf", "launchdaemons.txt", "man.conf", "Admin.tbd", "makedefs.out", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "bind.html", "LocalAuthentication.tbd", "mounts.txt", "chromeExtensions.csv", "usbDevices.csv", "paths", "rc.common", "MCNearbyServiceAdvertiser.h", "caching.html", "csh.logout", "lber.h", "configuring.html", "group", "profile", "manpaths", "xtab", "rmtab", "ntp.conf", "syslog.conf", "MCError.h", "apfs_boot_mount.tbd", "aliases", "index.html.en", "sharedFolders.csv", "x86_64-apple-macos.swiftinterface", "etcHosts.csv", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "sudoers", "header_checks", "csh.login", "shells", "smb.conf", "main.cf.proto", "preboot_archive_errors.log", "csh.cshrc", "managedPolicies.csv", "com.apple.screensharing.agent.launchd", "rpc", "users.csv", "autofs.conf", "notify.conf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Firstname", "Lastname" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "6a0a062736db89f7c827b1d4", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:58.595000", "created": "2026-05-17T18:17:11.966000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 301, "FileHash-SHA1": 313, "FileHash-SHA256": 774, "URL": 667, "IPv4": 241, "domain": 205, "hostname": 612, "email": 5, "IPv6": 2, "CIDR": 1, "CVE": 23, "JA3": 1 }, "indicator_count": 3145, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a06582d0722271a4599d7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:57.618000", "created": "2026-05-17T18:18:00.792000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065b8e1ccb825970a9e5", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:56.390000", "created": "2026-05-17T18:18:03.742000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065be823d8e9966e18ce", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:55.117000", "created": "2026-05-17T18:18:03.751000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065d1177dadd6522914f", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:54.028000", "created": "2026-05-17T18:18:05.783000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065ebc76096529b575c7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:52.618000", "created": "2026-05-17T18:18:06.287000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b53626be41dfe6834d2e4", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:57:18.461000", "created": "2026-05-18T17:58:58.565000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a0e71af8047801da346a8", "name": "Credit: Skocherhan \"gh0st shadows\" clone [ty sk]", "description": "", "modified": "2026-05-20T08:57:02.834000", "created": "2026-05-17T18:52:33.147000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6a09f8a35ce1c4ed81629523", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 520, "hostname": 534, "URL": 487, "IPv4": 17, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "CIDR": 2, "email": 2 }, "indicator_count": 1586, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b5364337dfd91041f4d22", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:56:56.059000", "created": "2026-05-18T17:59:00.842000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b535b1d8235c877c4fc81", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:52:51.376000", "created": "2026-05-18T17:58:51.398000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 117 }, "indicator_count": 863, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "asahi.chat", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "asahi.chat", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780215941.8552463 }