{ "type": "Domain", "indicator": "attribution.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/attribution.com", "alexa": "http://www.alexa.com/siteinfo/attribution.com", "indicator": "attribution.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4123992636, "indicator": "attribution.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68cb233ba91aa1eb958b3f31", "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder", "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea", "modified": "2025-10-17T19:03:15.031000", "created": "2025-09-17T21:08:11.518000", "tags": [ "script urls", "meta", "moved", "x tec", "passive dns", "encrypt", "america flag", "san francisco", "extraction", "data upload", "type indicatod", "united states", "a domains", "united", "gmt server", "jose", "university", "bill", "rmhs", "information", "board", "lorin", "joseph", "all veterans", "rocky mountain", "mission", "vice", "april", "school", "austin", "prior", "ipv4 add", "urls", "files", "location united", "wordpress", "rmhs meta", "tags viewport", "rmhs og", "rmhs article", "wpbakery page", "builder", "slider plugin", "google tag", "mountain human", "denver", "connecting", "denver start", "relevance home", "providers", "contact us", "rmhs main", "server", "redacted tech", "redacted admin", "registrar abuse", "algorithm", "key identifier", "x509v3 subject", "dnssec", "country", "ttl value", "graph summary", "resolved ips", "ip address", "port", "data", "screenshots no", "involved direct", "country name", "name response", "tcp connections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "found", "spawns", "t1590 gather", "path", "ascii text", "exif standard", "tiff image", "format", "stop", "false", "soldier", "model", "youth", "baby", "june", "general", "local", "click", "strings", "core", "warrior", "green", "emotion", "flash", "nina", "hunk", "fono", "daam", "mitre att", "ck techniques", "id name", "malicious", "windows nt", "win64", "khtml", "gecko", "brand", "microsoft edge", "show process", "self", "date", "comspec", "hybrid", "form", "log id", "gmtn", "tls web", "b2 f6", "b0n timestamp", "f9401a", "record value", "x wix", "certificate", "domain add", "pulse submit", "body", "domain related", "blackbox", "apple", "helix", "dvrdns", "tracking", "remote access", "ios", "spyware", "hoax", "dynamicloader", "ptls6", "medium", "flashpix", "high", "ygjpavclsline", "officespace", "chartshared", "powershell", "write", "malware", "ygjpaulscontext", "status", "japan unknown", "domain", "pulses", "search", "accept", "apt10", "trojanspy", "win32", "entries", "susp", "backdoor", "useragent", "showing", "virtool", "twitter", "mozilla", "trojandropper", "trojan", "title", "onelouder", "yara det", "maware samoe", "genaco x", "ids detec", "ids terse", "win3 data", "include review", "exclude sugges", "targeting", "show", "copy", "reads", "dynamic", "vendor finding", "notes clamav", "files matching", "number", "sample analysis", "hide samples", "date hash", "next yara" ], "references": [ "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://www.mlkfoundation.net/ (Foundry DGA)", "remotewd.com x 34 devices", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "ssa-gov.authorizeddns", "hmmm\u2026http://palander.stjernstrom.se/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU" ], "public": 1, "adversary": "APT 10", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APT 10", "display_name": "APT 10", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "KoobFace", "display_name": "KoobFace", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Nivdort Checkin", "display_name": "Nivdort Checkin", "target": null }, { "id": "Win.Malware.Installcore-6950365-0", "display_name": "Win.Malware.Installcore-6950365-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Golfing", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 690, "hostname": 1912, "URL": 5925, "FileHash-SHA1": 273, "email": 8, "FileHash-SHA256": 3618, "CIDR": 3, "FileHash-MD5": 254, "SSLCertFingerprint": 19, "CVE": 2 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac1823eed9568e26950b98", "name": "ELF: Mirai - Malicious media | sentient.industries | Palantir", "description": "Malicious entity weaponizing AI and next level cyber attacks, targeting, hacking, espionage, tracking, bad traffic, botnet, honeypots, bots , ddos. \n\nIt\u2019s really easy to become a target. Protest a cause, become a victim of crime by someone protected by a major entity , incur a large loss insurance case or have a high profile potential lawsuit on and on\u2026 \n\nExcessive overreach, low accountability, no barrier to access, designed to be the cyber warfare weapon.\nIf this is a spoof and NOT Palantir which (but it is) still relentlessly , as malicious. You don\u2019t own your devices or privacy.\n\n#mustbestrangelyexitingtowatchthestoicsquirm", "modified": "2025-09-24T07:05:04.439000", "created": "2025-08-25T08:00:35.492000", "tags": [ "sentientindustries", "adult", "pornography", "targeting", "content reputation", "palantirfoundry", "palantir", "malicious media", "tool", "abuse", "citizens", "gay", "united", "cache control", "access control", "passive dns", "ip address", "body found", "gmt content", "express cache", "accept", "pragma", "avast avg", "mirai", "games", "aniporn", "eporner", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "javascript", "defense evasion", "spawns", "attrib", "extid", "fbid", "creatortool", "pattern match", "date", "path", "august", "hybrid", "general", "click", "strings", "bham", "this", "core", "unknown aaaa", "moved", "unknown ns", "body", "h1 center", "title", "data upload", "extraction", "iocs", "monitored target", "copy md5", "copy sha1", "copy sha256", "mitre att", "show technique", "ck matrix", "span", "possible", "local", "meta", "roboto", "supportscookie", "spearphishing", "initial access", "ssl certificate", "t1105", "T1027.013 - Encrypted/Encoded File" ], "references": [ "https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)", "conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/", "http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html", "1-ai-chatbox-widget-2iv.pages.dev", "FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839", "Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)", "Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]", "https://hayageek.com/drag-and-drop-file-upload-jquery", "https://hayageek.com/rsa-encryption-decryption-openssl-c/", "https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/", "https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]", "https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045", "T1027.013 - Encrypted/Encoded File" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PornBlackmailer", "display_name": "PornBlackmailer", "target": null }, { "id": "Win32/PornTool", "display_name": "Win32/PornTool", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6748839", "display_name": "Unix.Trojan.Gafgyt-6748839", "target": null }, { "id": "supportsCookie", "display_name": "supportsCookie", "target": null } ], "attack_ids": [ { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1532", "name": "Data Encrypted", "display_name": "T1532 - Data Encrypted" } ], "industries": [ "Telecommunications", "Technology", "Civilian Society", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 966, "domain": 222, "hostname": 272, "FileHash-MD5": 78, "FileHash-SHA1": 84, "FileHash-SHA256": 346, "SSLCertFingerprint": 10 }, "indicator_count": 1978, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "South Africa based: remote.advisoroffice.com", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "hmmm\u2026http://palander.stjernstrom.se/", "chinaeast2.admin.api.powerautomate.cn", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "ssa-gov.authorizeddns", "https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)", "remotewd.com x 34 devices", "https://securityaffairs.com/", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.mlkfoundation.net/ (Foundry DGA)", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "https://hayageek.com/drag-and-drop-file-upload-jquery", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://hayageek.com/rsa-encryption-decryption-openssl-c/", "Multiple other undocumented malware", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045", "1.organization.api.powerplatform.partner.microsoftonline.cn", "1-ai-chatbox-widget-2iv.pages.dev", "Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]", "rmhumanservices.org", "https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/", "conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "T1027.013 - Encrypted/Encoded File", "acc.lehigtapp.com - malware", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Hoc Working", "APT 10" ], "malware_families": [ "Elf:mirai-gh\\ [trj]", "!#addscopytostartup", "Pws:win32/ymacco.aa50", "Win32/porntool", "Onelouder", "Sality", "Koobface", "Trojan:win32/qqpass", "Supportscookie", "Apt 10", "Cve-2023-27997", "Cve-2025-42957", "Unix.trojan.gafgyt-6748839", "Andromeda", "Win.malware.installcore-6950365-0", "Pornblackmailer", "Alf:heraklezeval:trojan:win32/salgorea!rfn", ".a , alf:heraklezeval:pws:win32/ldpinch!rfn", "Nivdort checkin", "Bayrob", "\"prepending (enc) ransomware\" (not an official name)", "Mirai", "!#lowfiwritemzinunusualextension" ], "industries": [ "Golfing", "Government", "Civilian society", "Healthcare", "Critical infrastructure", "Manufacturing", "Technology", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68cb233ba91aa1eb958b3f31", "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder", "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea", "modified": "2025-10-17T19:03:15.031000", "created": "2025-09-17T21:08:11.518000", "tags": [ "script urls", "meta", "moved", "x tec", "passive dns", "encrypt", "america flag", "san francisco", "extraction", "data upload", "type indicatod", "united states", "a domains", "united", "gmt server", "jose", "university", "bill", "rmhs", "information", "board", "lorin", "joseph", "all veterans", "rocky mountain", "mission", "vice", "april", "school", "austin", "prior", "ipv4 add", "urls", "files", "location united", "wordpress", "rmhs meta", "tags viewport", "rmhs og", "rmhs article", "wpbakery page", "builder", "slider plugin", "google tag", "mountain human", "denver", "connecting", "denver start", "relevance home", "providers", "contact us", "rmhs main", "server", "redacted tech", "redacted admin", "registrar abuse", "algorithm", "key identifier", "x509v3 subject", "dnssec", "country", "ttl value", "graph summary", "resolved ips", "ip address", "port", "data", "screenshots no", "involved direct", "country name", "name response", "tcp connections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "found", "spawns", "t1590 gather", "path", "ascii text", "exif standard", "tiff image", "format", "stop", "false", "soldier", "model", "youth", "baby", "june", "general", "local", "click", "strings", "core", "warrior", "green", "emotion", "flash", "nina", "hunk", "fono", "daam", "mitre att", "ck techniques", "id name", "malicious", "windows nt", "win64", "khtml", "gecko", "brand", "microsoft edge", "show process", "self", "date", "comspec", "hybrid", "form", "log id", "gmtn", "tls web", "b2 f6", "b0n timestamp", "f9401a", "record value", "x wix", "certificate", "domain add", "pulse submit", "body", "domain related", "blackbox", "apple", "helix", "dvrdns", "tracking", "remote access", "ios", "spyware", "hoax", "dynamicloader", "ptls6", "medium", "flashpix", "high", "ygjpavclsline", "officespace", "chartshared", "powershell", "write", "malware", "ygjpaulscontext", "status", "japan unknown", "domain", "pulses", "search", "accept", "apt10", "trojanspy", "win32", "entries", "susp", "backdoor", "useragent", "showing", "virtool", "twitter", "mozilla", "trojandropper", "trojan", "title", "onelouder", "yara det", "maware samoe", "genaco x", "ids detec", "ids terse", "win3 data", "include review", "exclude sugges", "targeting", "show", "copy", "reads", "dynamic", "vendor finding", "notes clamav", "files matching", "number", "sample analysis", "hide samples", "date hash", "next yara" ], "references": [ "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://www.mlkfoundation.net/ (Foundry DGA)", "remotewd.com x 34 devices", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "ssa-gov.authorizeddns", "hmmm\u2026http://palander.stjernstrom.se/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU" ], "public": 1, "adversary": "APT 10", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APT 10", "display_name": "APT 10", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "KoobFace", "display_name": "KoobFace", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Nivdort Checkin", "display_name": "Nivdort Checkin", "target": null }, { "id": "Win.Malware.Installcore-6950365-0", "display_name": "Win.Malware.Installcore-6950365-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Golfing", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 690, "hostname": 1912, "URL": 5925, "FileHash-SHA1": 273, "email": 8, "FileHash-SHA256": 3618, "CIDR": 3, "FileHash-MD5": 254, "SSLCertFingerprint": 19, "CVE": 2 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac1823eed9568e26950b98", "name": "ELF: Mirai - Malicious media | sentient.industries | Palantir", "description": "Malicious entity weaponizing AI and next level cyber attacks, targeting, hacking, espionage, tracking, bad traffic, botnet, honeypots, bots , ddos. \n\nIt\u2019s really easy to become a target. Protest a cause, become a victim of crime by someone protected by a major entity , incur a large loss insurance case or have a high profile potential lawsuit on and on\u2026 \n\nExcessive overreach, low accountability, no barrier to access, designed to be the cyber warfare weapon.\nIf this is a spoof and NOT Palantir which (but it is) still relentlessly , as malicious. You don\u2019t own your devices or privacy.\n\n#mustbestrangelyexitingtowatchthestoicsquirm", "modified": "2025-09-24T07:05:04.439000", "created": "2025-08-25T08:00:35.492000", "tags": [ "sentientindustries", "adult", "pornography", "targeting", "content reputation", "palantirfoundry", "palantir", "malicious media", "tool", "abuse", "citizens", "gay", "united", "cache control", "access control", "passive dns", "ip address", "body found", "gmt content", "express cache", "accept", "pragma", "avast avg", "mirai", "games", "aniporn", "eporner", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "javascript", "defense evasion", "spawns", "attrib", "extid", "fbid", "creatortool", "pattern match", "date", "path", "august", "hybrid", "general", "click", "strings", "bham", "this", "core", "unknown aaaa", "moved", "unknown ns", "body", "h1 center", "title", "data upload", "extraction", "iocs", "monitored target", "copy md5", "copy sha1", "copy sha256", "mitre att", "show technique", "ck matrix", "span", "possible", "local", "meta", "roboto", "supportscookie", "spearphishing", "initial access", "ssl certificate", "t1105", "T1027.013 - Encrypted/Encoded File" ], "references": [ "https://targeting-ai.com/dr-wisit-cheungpasitporn-invite-dhonneur-a-paris-pour-intelligence-artificielle-et-nephrologie-2025/ (phishing)", "conf.targeting-ai.com \u2022 http://conf.targeting-ai.com \u2022 https://conf.targeting-ai.com \u2022 https://droidcall.cc/EQBhOSFz/", "http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html", "1-ai-chatbox-widget-2iv.pages.dev", "FileleHash Sha256 [7a6da9fd351d428e9bfb8edbbca1275d9cdaf7f0371c77d2c227645509f7ebec ELF:Mirai-GH\\ [Trj] \u2022 Unix.Trojan.Gafgyt-6748839", "Found in Palantirfoundry in sentient.indusutries linked to songculture.com (downed)", "Redirecting to /verify/547062ef [URL https://eporner.blog \u2022 IPv4 104.21.3.107]", "https://hayageek.com/drag-and-drop-file-upload-jquery", "https://hayageek.com/rsa-encryption-decryption-openssl-c/", "https://www-321chat-com.webpkgcache.com/doc/-/s/www.321chat.com/", "https://www.melitta.be/portal/pics/layout/touchicons/apple-touch-icon-precomposed.png [Key-Systems GmbH]", "https://hybrid-analysis.com/sample/627cf8e9a89c998bd5cb607854bbe31b82679c116b4e3834ff942220d61d3488/68ac1098bfa5002fad02e045", "T1027.013 - Encrypted/Encoded File" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PornBlackmailer", "display_name": "PornBlackmailer", "target": null }, { "id": "Win32/PornTool", "display_name": "Win32/PornTool", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6748839", "display_name": "Unix.Trojan.Gafgyt-6748839", "target": null }, { "id": "supportsCookie", "display_name": "supportsCookie", "target": null } ], "attack_ids": [ { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1532", "name": "Data Encrypted", "display_name": "T1532 - Data Encrypted" } ], "industries": [ "Telecommunications", "Technology", "Civilian Society", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 966, "domain": 222, "hostname": 272, "FileHash-MD5": 78, "FileHash-SHA1": 84, "FileHash-SHA256": 346, "SSLCertFingerprint": 10 }, "indicator_count": 1978, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "attribution.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "attribution.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780248482.2765615 }