{ "type": "Domain", "indicator": "atomseo.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/atomseo.com", "alexa": "http://www.alexa.com/siteinfo/atomseo.com", "indicator": "atomseo.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3351098886, "indicator": "atomseo.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Unknown" ], "malware_families": [], "industries": [ "Telecommunications", "Healthcare", "Government", "Technology", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "atomseo.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "atomseo.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776598666.307129 }