{ "type": "Domain", "indicator": "ashimay.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ashimay.com", "alexa": "http://www.alexa.com/siteinfo/ashimay.com", "indicator": "ashimay.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4073977886, "indicator": "ashimay.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "68434df5a7a61c7583cdec3f", "name": "Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN's Satori team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting over 1 million low-cost consumer devices worldwide. The scheme involves a backdoor pre-installed on devices or distributed through unofficial app marketplaces, allowing threat actors to conduct various fraudulent activities. These include selling residential proxy services, ad fraud through hidden ads and WebViews, and click fraud. Four main threat actor groups were identified: SalesTracker, MoYu, Lemon, and LongTV. The operation affects Android Open Source Project devices in 222 countries, with Brazil being the most impacted. Disruption efforts involved collaboration with Google and other partners to mitigate the threat's impact.", "modified": "2025-06-06T20:24:01.215000", "created": "2025-06-06T20:22:13.238000", "tags": [ "consumer devices", "iot", "badbox", "vo1d", "ad fraud", "botnet", "residential proxy", "android", "ctv", "bb2door" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0", "https://www.humansecurity.com/wp-content/uploads/2025/03/BADBOX-2-H5-Domain-List.csv" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "United States of America", "Mexico", "Argentina", "Colombia" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 800, "hostname": 169 }, "indicator_count": 969, "is_author": false, "is_subscribing": null, "subscriber_count": 386579, "modified_text": "359 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686d28ec9208b0424e0ccad2", "name": "Remote Keylogger | Foundry", "description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.", "modified": "2025-09-19T03:02:22.742000", "created": "2025-07-08T14:19:24.211000", "tags": [ "delete", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "intel", "write", "malware", "dynamicloader", "yara rule", "high", "vmware", "phishing", "remote", "keylogger", "remote keylogger", "type indicator", "related pulses", "no expiration", "url https", "showing", "reputation", "foundry", "apple", "downloader", "trojan" ], "references": [ "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "\u2022 199.59.243.226", "\u2022 ww25.vpn.steamcommunity-site.info", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Reputation.1", "display_name": "Reputation.1", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [ "Telecommunications", "Technology", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 244, "FileHash-SHA256": 4406, "URL": 9684, "domain": 3164, "hostname": 3370, "CVE": 1 }, "indicator_count": 21129, "is_author": false, "is_subscribing": null, "subscriber_count": 148, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 199.59.243.226", "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "\u2022 ww25.vpn.steamcommunity-site.info", "https://www.humansecurity.com/wp-content/uploads/2025/03/BADBOX-2-H5-Domain-List.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Media", "Telecommunications", "Technology" ] }, "other": { "adversary": [], "malware_families": [ "Unruy", "Reputation.1" ], "industries": [ "Media", "Telecommunications", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "68434df5a7a61c7583cdec3f", "name": "Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes", "description": "HUMAN's Satori team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting over 1 million low-cost consumer devices worldwide. The scheme involves a backdoor pre-installed on devices or distributed through unofficial app marketplaces, allowing threat actors to conduct various fraudulent activities. These include selling residential proxy services, ad fraud through hidden ads and WebViews, and click fraud. Four main threat actor groups were identified: SalesTracker, MoYu, Lemon, and LongTV. The operation affects Android Open Source Project devices in 222 countries, with Brazil being the most impacted. Disruption efforts involved collaboration with Google and other partners to mitigate the threat's impact.", "modified": "2025-06-06T20:24:01.215000", "created": "2025-06-06T20:22:13.238000", "tags": [ "consumer devices", "iot", "badbox", "vo1d", "ad fraud", "botnet", "residential proxy", "android", "ctv", "bb2door" ], "references": [ "https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0", "https://www.humansecurity.com/wp-content/uploads/2025/03/BADBOX-2-H5-Domain-List.csv" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "United States of America", "Mexico", "Argentina", "Colombia" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 800, "hostname": 169 }, "indicator_count": 969, "is_author": false, "is_subscribing": null, "subscriber_count": 386579, "modified_text": "359 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686d28ec9208b0424e0ccad2", "name": "Remote Keylogger | Foundry", "description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.", "modified": "2025-09-19T03:02:22.742000", "created": "2025-07-08T14:19:24.211000", "tags": [ "delete", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "intel", "write", "malware", "dynamicloader", "yara rule", "high", "vmware", "phishing", "remote", "keylogger", "remote keylogger", "type indicator", "related pulses", "no expiration", "url https", "showing", "reputation", "foundry", "apple", "downloader", "trojan" ], "references": [ "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "\u2022 199.59.243.226", "\u2022 ww25.vpn.steamcommunity-site.info", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Reputation.1", "display_name": "Reputation.1", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [ "Telecommunications", "Technology", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 244, "FileHash-SHA256": 4406, "URL": 9684, "domain": 3164, "hostname": 3370, "CVE": 1 }, "indicator_count": 21129, "is_author": false, "is_subscribing": null, "subscriber_count": 148, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ashimay.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ashimay.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780264965.5440059 }