{ "type": "Domain", "indicator": "ayende.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ayende.com", "alexa": "http://www.alexa.com/siteinfo/ayende.com", "indicator": "ayende.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2895101385, "indicator": "ayende.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69efc7a6778f84c179d27073", "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]", "description": "", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:31:34.221000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "69efc567ae24b8285a71099d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1039, "hostname": 868, "domain": 687, "URL": 2226, "FileHash-MD5": 133, "FileHash-SHA1": 96, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5064, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69efc567ae24b8285a71099d", "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media", "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:21:59.824000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1037, "hostname": 865, "domain": 685, "URL": 2224, "FileHash-MD5": 131, "FileHash-SHA1": 94, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5051, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69de16ad2eff99041dc0798f", "name": "CAPE Sandbox", "description": "The full text of the full report on the events of 9 January 2016:-17 February 2017.. and the details will appear on Facebook, Twitter, Instagram and iPlayer, as well as BBC News.Publicly sourced data.", "modified": "2026-05-14T13:12:04.466000", "created": "2026-04-14T10:27:57.413000", "tags": [ "default", "win1", "acrongl integ", "adc4240758", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "angsana new", "accept", "shutdown", "bits", "users", "files c", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "settings c", "users c", "file type", "ascii text", "html document", "ascii", "smtp", "united", "pe file", "ms windows", "found", "pe32", "exploit", "window", "mydoom", "malicious", "next", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 294, "FileHash-SHA1": 122, "FileHash-SHA256": 1747, "URL": 5866, "hostname": 1673, "domain": 432, "CVE": 1, "email": 2 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69de16a3c7cc241533da1de7", "name": "CAPE Sandbox", "description": "The full text of the full report on the events of 9 January 2016:-17 February 2017.. and the details will appear on Facebook, Twitter, Instagram and iPlayer, as well as BBC News.Publicly sourced data.", "modified": "2026-05-14T11:12:02.310000", "created": "2026-04-14T10:27:47.855000", "tags": [ "default", "win1", "acrongl integ", "adc4240758", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "angsana new", "accept", "shutdown", "bits", "users", "files c", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "settings c", "users c", "file type", "ascii text", "html document", "ascii", "smtp", "united", "pe file", "ms windows", "found", "pe32", "exploit", "window", "mydoom", "malicious", "next", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 346, "FileHash-SHA1": 338, "FileHash-SHA256": 859, "URL": 1100, "hostname": 374, "domain": 30 }, "indicator_count": 3047, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d9b0e549af1aae2975ebeb", "name": "Virtual Servers \u2022 Tulach \u2022 Eternal Blue", "description": "Interesting. Further research required. \n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+\n\n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff90+IP:+Sweden%0A\\\\xfff0\\\\xff9f\\\\xff97\\\\xffba+Country:+SE+", "modified": "2026-05-11T02:31:44.768000", "created": "2026-04-11T02:24:37.102000", "tags": [ "related pulses", "apple", "imac", "itunes", "tulach", "active", "vercel", "ms windows", "intel", "yara rule", "lredmond", "rsds", "write c", "tls sni", "write", "install", "rijndael", "malware", "accept", "self", "mtb apr", "lowfi", "backdoor", "antigua", "trojandropper", "all ipv4", "urls", "prometheus", "files", "files ip", "address", "united", "unknown aaaa", "cname", "tags", "keepalived", "ip address", "red hat", "nat node", "gns3", "firefox", "ovn network", "instances", "forum", "linux", "dynamicloader", "exclusionpath", "medium", "high", "telegram api", "windows", "f rl", "highest sc", "guard", "april", "powershell", "c mar", "virtool", "c jan", "c dec", "urls show", "url hostname", "ransom", "click", "title", "njrat", "as64521i", "bird", "bgp", "virtual private", "virtual servers", "et exploit", "ms17010 echo", "response", "echo response", "asnone", "probe ms17010", "nids", "m2 ms17010", "regsetvalueexa", "service", "wannacry", "dock", "unknown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "mitre att", "defense evasion", "sha1", "sha256", "size", "pattern match", "ascii text", "path", "stop", "hybrid", "general", "local", "twitter", "strings", "core", "telegram", "tools" ], "references": [ "Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H IDS Detections Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE Probe MS17-010 (Generic Flags) Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , WannaCry_Ransomware_Gen , WannaDecryptor , stack_string , MS17_010_WanaCry_worm More Alerts nids_exploit", "https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ Akamai rank: #2475\t URL https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff9", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f", "Trojans: 149.154.166.110 command_and_control (build your own telegram) 208.95.112.1 command_and_control", "prometheus.shorty.cicloinfinito.com", "Win.Packed.njRAT-10002074-1", "NJRat IDS Detections: Telegram API Domain in DNS Lookup", "NJRat IDS Detections: Observed Telegram API Domain (api .telegram .org in TLS SNI)", "NJRat IDS Detections: Telegram API Certificate Observed", "NJRat Yara Detections: ByteCode_MSIL_Backdoor_AsyncRAT", "NJRat Alerts: hardware_id_profiling network_cnc_https_pastesite persistence_autorun", "NJRat Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert", "NJRat Alerts: windows_defender_powershell network_document_file powershell_command_suspicious", "NJRat Alerts: suspicious_command_tools antidebug_guardpages antisandbox_sleep", "NJRat Alerts: dynamic_function_loading encrypted_ioc registers_vectored_exception_handler", "NJRat Alerts: http_request reads_memory_remote_process network_cnc_https_generic reads_self", "NJRat IP\u2019s Contacted 149.154.166.110 172.66.171.73", "NJRat Domains Contacted pastebin.com api.telegram.org", "192.168.122.200 BGP: Simulating Inter-network Dynamic Routing", "EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.105\", \"dst_port\": 49317, \"sid\": 2025650, \"date\": \"2020/06/18 11:39:48\", \"dst_ip\": \"192.168.56.103\" }, \"type\": \"ioc\", \"description\": null }, { \"category\": \"suricata\", \"ioc\": { \"src_port\": 445, \"name\": \"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.108\", \"dst_port\": 49324, " ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "United States of America", "China" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908396-0", "display_name": "Win.Trojan.Generic-9908396-0", "target": null }, { "id": "Win.Trojan.Crypted-30", "display_name": "Win.Trojan.Crypted-30", "target": null }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Win.Malware.Score-6985947-1", "display_name": "Win.Malware.Score-6985947-1", "target": null }, { "id": "ALF:PWS:MSIL/Stealgen.GC!MTB", "display_name": "ALF:PWS:MSIL/Stealgen.GC!MTB", "target": null }, { "id": "Win.Packed.Zpack-10013367-0", "display_name": "Win.Packed.Zpack-10013367-0", "target": null }, { "id": "ALF:Trojan:Win32/FormBook.F!MTB", "display_name": "ALF:Trojan:Win32/FormBook.F!MTB", "target": null }, { "id": "Win.Malware.Renos-10003934-0", "display_name": "Win.Malware.Renos-10003934-0", "target": null }, { "id": "Win.Trojan.Razy-10016933-0", "display_name": "Win.Trojan.Razy-10016933-0", "target": null }, { "id": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A", "display_name": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A", "target": null }, { "id": "NJRat", "display_name": "NJRat", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null }, { "id": "W32/WannaCryptor.491A!tr.ransom", "display_name": "W32/WannaCryptor.491A!tr.ransom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1144", "name": "Gatekeeper Bypass", "display_name": "T1144 - Gatekeeper Bypass" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [ "Telecommunications", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 556, "domain": 206, "URL": 863, "FileHash-SHA256": 1589, "FileHash-MD5": 472, "FileHash-SHA1": 376, "SSLCertFingerprint": 11, "email": 1 }, "indicator_count": 4074, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d3532c76eb3bf5edd9609b", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:08.181000", "created": "2026-04-06T06:31:08.181000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d3532a6537880f6e2c68dc", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:06.730000", "created": "2026-04-06T06:31:06.730000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686df81130f94fff809dd8b7", "name": "T-Mobile Service- 23.185.0.2 - Mirai", "description": "", "modified": "2025-08-08T04:05:03.809000", "created": "2025-07-09T05:03:13.536000", "tags": [ "germany unknown", "passive dns", "invalid url", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "frankfurt", "main", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr11", "validity", "public key", "info", "south korea", "united", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "high", "as701 verizon", "malware", "copy", "name jim", "zemlin name", "letterman dr", "address bldg", "d ste", "date", "dnssec", "record value", "emails", "address", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jul", "present showing", "entries related", "domains show", "present jun", "search", "enom", "creation date", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 178, "FileHash-SHA1": 180, "FileHash-SHA256": 2435, "hostname": 644, "domain": 603, "URL": 585, "email": 3 }, "indicator_count": 4628, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68635826ef3c26c8f6546ad5", "name": "Trojan.Mybot-12000 | Parking Crew - Feebs Worm |", "description": "Feebs expansion didn\u2019t pulse the correct results. \nworm.feebs.ae \n#identified #active\nExpanded. Parking crews:\n\u2022 virus:Win32/Madang.A\n\u2022 Trojan.Mybot-12000\n\u2022 Win.Worm.Eggnog-6\n\u2022 Unruy\n\u2022 Worm.Picsys\n\u2022 worm:Win32/Mydoom.O!backdoor\n\u2022 Unruy\n\u2022 trojan:Win32/Phishbank.A\n\u2022 Win32:MultiPlug-ADL\\ [Adw]\n\u2022 DotNET_Crypto_Obfuscator\n\u2022 Worm.Feebs.AE Blocked by Quad9 - IRCbot \u2022 worm.feebs.ae \u2022 #dga #running_webserver #feebs #trojan #spy #bot #ransom #virtool #irc #backfdoor #worm #dropper #banker #registrarabuse #droppedconnectionstoday #operation #data_selling #binary #infection #pointing #backdoor #domain_prefix #trojan #parkingcrew # domain #abuse #multi compromised #ping +\u2026 more\n\n(Cannot annotate)", "modified": "2025-07-31T03:00:41.573000", "created": "2025-07-01T03:38:14.229000", "tags": [ "type name", "win32 exe", "graph summary", "search", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "entries", "indicator", "quad9", "ircbot", "ck ids", "t1140", "information", "t1060", "run keys", "startup", "folder" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 201, "FileHash-SHA1": 196, "FileHash-SHA256": 2723, "URL": 82, "domain": 183, "hostname": 439 }, "indicator_count": 3824, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68635823896b29555651547d", "name": "Trojan.Mybot-12000 | Parking Crew - Feebs Worm |", "description": "Feebs expansion didn\u2019t pulse the correct results. \nworm.feebs.ae \n#identified #active\nExpanded. Parking crews:\n\u2022 virus:Win32/Madang.A\n\u2022 Trojan.Mybot-12000\n\u2022 Win.Worm.Eggnog-6\n\u2022 Unruy\n\u2022 Worm.Picsys\n\u2022 worm:Win32/Mydoom.O!backdoor\n\u2022 Unruy\n\u2022 trojan:Win32/Phishbank.A\n\u2022 Win32:MultiPlug-ADL\\ [Adw]\n\u2022 DotNET_Crypto_Obfuscator\n\u2022 Worm.Feebs.AE Blocked by Quad9 - IRCbot \u2022 worm.feebs.ae \u2022 #dga #running_webserver #feebs #trojan #spy #bot #ransom #virtool #irc #backfdoor #worm #dropper #banker #registrarabuse #droppedconnectionstoday #operation #data_selling #binary #infection #pointing #backdoor #domain_prefix #trojan #parkingcrew # domain #abuse #multi compromised #ping +\u2026 more", "modified": "2025-07-31T03:00:41.573000", "created": "2025-07-01T03:38:11.946000", "tags": [ "type name", "win32 exe", "graph summary", "search", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "entries", "indicator", "quad9", "ircbot", "ck ids", "t1140", "information", "t1060", "run keys", "startup", "folder" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 201, "FileHash-SHA1": 196, "FileHash-SHA256": 2723, "URL": 82, "domain": 183, "hostname": 439 }, "indicator_count": 3824, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686352205a51630fe27eb9ae", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\n\nSuper malicious. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:32.035000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863521fed1bb77251bfd931", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\nMALICIOUS. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:31.004000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863521f80ccde1b71d70787", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\n\nSuper malicious. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:31.831000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863521d5a9eb677bcf1e0b2", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\n\nSuper malicious. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:29.977000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836497513b6637e7e6f39d2", "name": "Exploited Host", "description": "", "modified": "2025-06-26T22:03:25.914000", "created": "2025-05-27T23:23:33.814000", "tags": [ "cname", "aaaa", "record type", "ttl value", "ascii text", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "sha256", "united", "pattern match", "mitre att", "date", "path", "encrypt", "starfield", "hybrid", "general", "local", "click", "strings", "4624", "records", "amazon02", "us ie", "dns ns", "dns a", "dns mx", "command decode", "ck id", "show technique", "ck matrix", "filehashsha1", "filehashsha256", "filehashmd5", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "pulses", "url https", "ipv4", "ccus asnas33070", "role", "value a", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-MD5": 225, "FileHash-SHA1": 232, "FileHash-SHA256": 1004, "domain": 138, "hostname": 74, "SSLCertFingerprint": 19, "email": 1 }, "indicator_count": 1763, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361628539ed40883b8ee66", "name": "Cycbot | Prevents affected individuals from contacting intended entities ", "description": "", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:44:40.311000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "683614d951f4e789950071b3", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683614d951f4e789950071b3", "name": "Malicious blockade", "description": "Malicious blockade, redirecting, bot activity affecting client-firm/entity interactions (outreach organizations, legal, possibly educational\u2018 doubtful ) Botnet & monitoring\u2026my OTX profile is not working to it\u2019s full capacity. I am unable to do anything except upload and post in description.\nIPv4\n141.193.213.10\ncommand_and_control || IPv4\n142.250.150.26\nexploit_source || IPv4\n142.251.16.26\nexploit_source || IPv4\n142.251.163.26\nexploit_source ||\nhttps://crimestoppers.ab.ca\nphishing\t|| IPv4\n142.250.27.27 || Alerts - injection_inter_process\ncreates_largekey\nnetwork_bind\npersistence_autorun\npersistence_autorun_tasks\ncape_detected_threat\ninjection_process_hollowing\nantivm_generic_services\ndeletes_executed_files\ndeletes_self\ninjection_runpe\nIndirect_Command_Execution_Via_ConsoleWindowHost\npersistence_ads\nrecon_fingerprint\nsuspicious_command ||", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:39:05.470000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68301508138ee7649cbff5dc", "name": "X.com -www.killjoebiden.com", "description": "Found in a suddenly deleted malicious X.com account I researched , and attempted to pulse. X.com link is now unavailable anywhere and no longer related. I pulsed what I thinks is the most concerning link. What remains are identified as 3 x.com IP addresses. Very disturbing . \n\u2022IPv4\n185.230.63.107\ncommand_and_control\t\t\t\n\n\u2022IPv4\n185.230.63.171\ncommand_and_control\t\t\t\n\n\u2022IPv4\n185.230.63.186\ncommand_and_control\t\t\t\n\n\u2022Domain\nkilljoebiden.com\nHostname\n\u2022 ww1.killjoebiden.com\n\u2022ww2.killjoebiden.com\n\u2022www.killjoebiden.com", "modified": "2025-06-22T05:02:08.599000", "created": "2025-05-23T06:26:16.890000", "tags": [ "record type", "ttl value", "v3 serial", "number", "algorithm", "cus starizona", "cngo daddy", "authority", "g2 validity", "subject public", "key info", "key algorithm", "status", "date", "record value", "emails", "creation date", "dnssec", "domain name", "llc status", "whois server" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 136, "FileHash-SHA1": 137, "FileHash-SHA256": 1421, "URL": 101, "domain": 90, "hostname": 61, "email": 2 }, "indicator_count": 1948, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "344 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b7119615db47ea27706a86", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-04-12T23:03:13.367000", "created": "2024-01-29T02:46:46.076000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9102, "CVE": 5, "FileHash-MD5": 68, "FileHash-SHA1": 67, "FileHash-SHA256": 2209, "domain": 1427, "hostname": 4334 }, "indicator_count": 17212, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "779 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eff46bdd371899ca5be7d7", "name": "CrypterX-gen | Video-lal.com | M. Brian Sabey \u2022 Hall Render | Rexxfield", "description": "Videolal results. Parked. Owner of domain has subsidiaries including Huge Domains. It's possible for attacker to post a 404 error page, park, post it for sale, malvertize. HoneyPotBot? \n\nFireeye. A bit much. william.ballenthin@fireeye.com\t\ncontain a resource (.rsrc) section moritz.raabe@fireeye.com. Overkill. What would Scooby Doo? Scooby!? \nTarget reports opening her MacBook Pro after it was replaced by Apple. It hadn't been in use. She opened it, surprised it was on, automatically connected to a store wifi (she was home) A worker was typing away in terminal. Fought hacker for recordings app containing Jeffrey Reimers aggressions. She lost. Terrified she murdered her MacBook by drowning & dismemberment. Big mistake. Cloned MacBook. Clicked on links trigger malicious downloads, network & DNS issues.", "modified": "2024-04-11T04:01:24.166000", "created": "2024-03-12T06:21:31.484000", "tags": [ "upatre malware", "rwi dtools", "page dow", "security", "bitfender", "yandex", "malware", "all octoseek", "av detections", "ids detections", "yara detections", "alerts", "file score", "fireeye", "injection", "worm", "trojan", "network", "poster", "honeybots", "united", "unknown", "win32upatre mar", "passive dns", "entries", "ipv4", "body", "artro", "generic malware", "formbook", "tag count", "threat report", "ip summary", "url summary", "generic", "hostnames", "pattern match", "ascii text", "png image", "root ca", "file", "authority", "indicator", "mitre att", "ck id", "class", "date", "enterprise", "hybrid", "accept", "general", "local", "click", "strings", "trident", "as47846", "germany unknown", "as2906 netflix", "scan endpoints", "domain", "urls", "files", "trojanspy", "mozilla", "dynamicloader", "medium", "title", "ms windows", "head", "intel", "inetsim http", "delete c", "show", "winnt", "copy", "powershell", "write", "next", "suspicious", "shop", "graph api", "status", "join", "vt community", "api key", "xcitium verdict", "cloud", "contacted", "contacted urls", "ssl certificate", "referrer", "historical ssl", "parent domain", "apple ios", "resolutions", "execution", "hacktool", "outbound connection", "detection list", "blacklist" ], "references": [ "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Win32.Renos/Artro", "display_name": "Win32.Renos/Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "I-Worm/Bagle.QE", "display_name": "I-Worm/Bagle.QE", "target": null }, { "id": "Worm.Bagle-44", "display_name": "Worm.Bagle-44", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "Win.Trojan.Generic-9897526-0", "display_name": "Win.Trojan.Generic-9897526-0", "target": null }, { "id": "Win.Trojan.Knigsfot-125", "display_name": "Win.Trojan.Knigsfot-125", "target": null }, { "id": "ALF:TrojanDownloader:Win32/Vadokrist.A", "display_name": "ALF:TrojanDownloader:Win32/Vadokrist.A", "target": null }, { "id": "Win.Trojan.Generic-9957168-0", "display_name": "Win.Trojan.Generic-9957168-0", "target": null }, { "id": "Win.Adware.RelevantKnowledge-9821121-0", "display_name": "Win.Adware.RelevantKnowledge-9821121-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "display_name": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1622, "FileHash-SHA1": 934, "FileHash-SHA256": 3289, "URL": 9605, "domain": 2321, "hostname": 2411, "CVE": 1, "email": 3 }, "indicator_count": 20186, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb998c3b7662e5059b6c2", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:40.759000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb98d9818cca8f130c195", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:29.619000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb98c440c1c45ec12ccdc", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:28.063000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bbb9815816db0de034f3a3", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:17.285000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b7e3fe934ae9d391614c0d", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:30.585000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b8071976a7e6dccaabbada", "name": "NSO Group Pegasus", "description": "", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T20:14:17.001000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65b7e406028ca6f363f41315", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b7e406028ca6f363f41315", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:38.424000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b7e4017a14cda8d09c9bf8", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:33.270000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b7e3fe91a1aceb955e54f6", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:30.147000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65de941acedcdd661f0593b6", "name": "Esurance Remote Attacks (Cloned. Who modifies reports? This happens to me)", "description": "", "modified": "2024-02-28T02:02:02.807000", "created": "2024-02-28T02:02:02.807000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": "65b711a6f49f057c311f2642", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "824 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b711a6f49f057c311f2642", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-02-28T02:01:51.407000", "created": "2024-01-29T02:47:02.117000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80763e9d9e18cf87d985b", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "", "modified": "2024-02-28T02:01:51.407000", "created": "2024-01-29T20:15:31.163000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": "65b711a6f49f057c311f2642", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b7119e9272b1426729e1ed", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-02-28T02:01:51.407000", "created": "2024-01-29T02:46:54.594000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8575, "CVE": 4, "FileHash-MD5": 47, "FileHash-SHA1": 46, "FileHash-SHA256": 1951, "domain": 1394, "hostname": 4095 }, "indicator_count": 16112, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b625984205c2fc7123a673", "name": "Quasar RAT targeting an American civilian", "description": "What is Quasar RAT?\nQuasar is a remote access trojan is used by attackers to take remote control of infected machines. It is written using the .NET programming language and is available to a wide public as an open-source project for Microsoft Windows operating systems, making it a popular RAT featured in many attacks. | Seen in a sponsored cyber espionage attack of an American citizen.", "modified": "2024-02-27T09:00:30.525000", "created": "2024-01-28T09:59:52.599000", "tags": [ "whois record", "contacted", "ssl certificate", "communicating", "referrer", "pegasus", "cellbrite", "targets sa", "survivor", "network", "service", "malware", "nanocore", "core", "hacktool", "ransomexx", "quasar", "tsara brashears", "generic", "msdos", "ms windows", "intel", "win32 dynamic", "link library", "generic windos", "executable", "dos executable", "autodesk flic", "info header", "name md5", "type", "language", "urls", "ip detections", "country", "domains", "csc corporate", "tucows domains", "tucows", "psiusa", "domain robot", "technology", "shanghai", "gmo internet", "gmbh", "http method", "get http", "http requests", "get dns", "resolutions", "ip traffic", "traffic", "when", "dns resolutions", "registry keys", "malvertizing", "ms-dos executable", "pe", "january", "quasar rat", "global rank", "month", "week rank", "iocs quasar", "trojan type", "unknown origin", "first", "urls http", "as41231", "united kingdom", "united", "aaaa", "a domains", "status", "search", "date", "certificate", "moved", "encrypt", "win32", "path", "python", "cookie" ], "references": [ "lionhearted.exe: FileHash-SHA256 04f2162c8eb322c6365d384d9600054f97c620f86d06c9ee0b4ea283978192b5", "https://any.run/malware-trends/quasar", "cellebrite.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | iOS unlocker | password cracker", "https://www.maventure.ca/ [spyware]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null } ], "attack_ids": [], "industries": [ "Civilian Society", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 244, "URL": 214, "FileHash-MD5": 102, "FileHash-SHA1": 97, "FileHash-SHA256": 334, "hostname": 389, "email": 2 }, "indicator_count": 1382, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "825 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b8083118e127157ff46d76", "name": "AndroidOverlayMalware: Enterprise.Cellebrite.com | Targets SA Victim ", "description": "", "modified": "2024-02-27T04:01:50.703000", "created": "2024-01-29T20:18:57.284000", "tags": [ "ssl certificate", "whois record", "pegasus", "cellbrite", "sa victim", "assaulter", "execution", "targets sa", "survivor", "privilege https", "contacted", "resolutions", "malware", "core", "hacktool", "skynet", "dangerous", "cyber threat", "physical attacks", "cyber stalking", "malvertizing", "android overlay", "malicious", "spyware", "tracking", "all octoseek", "threat" ], "references": [ "enterprise.cellebrite.com", "osint-j2.cellebrite.com", "nsopit-ibgmc.acs-inc.com", "https://cellebrite.com/en/federal-government/", "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en", "http://init-p01st.push.apple.com/bag [Apple Tracking]", "http://www.apple.com/certificateauthority/AppleAAI2CA.cer", "http://www.apple.com/certificateauthority/AppleAAICAG3.cer" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "Ransom:Win32/Cryptor", "display_name": "Ransom:Win32/Cryptor", "target": "/malware/Ransom:Win32/Cryptor" } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Civil Society", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "65b5da65f8fa8cedd9d32395", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 89, "FileHash-SHA1": 86, "FileHash-SHA256": 385, "domain": 92, "hostname": 324, "URL": 93 }, "indicator_count": 1069, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "825 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b5da65f8fa8cedd9d32395", "name": "AndroidOverlayMalware: Enterprise.Cellebrite.com | Targets SA Victim", "description": "Software Company\nCellebrite\n\nCellebrite Enterprise Solutions\nHow Cellebrite's Enterprise Solutions Solve Your Challenges: \u00b7 Industry-leading remote collection capabilities for mobile devices, computers, etc. \nCellebrite DI Ltd. is an Israeli digital intelligence company that provides tools for federal, state, and local law enforcement as well as enterprise companies and service providers to collect, review, analyze and manage digital data.", "modified": "2024-02-27T04:01:50.703000", "created": "2024-01-28T04:39:01.670000", "tags": [ "ssl certificate", "whois record", "pegasus", "cellbrite", "sa victim", "assaulter", "execution", "targets sa", "survivor", "privilege https", "contacted", "resolutions", "malware", "core", "hacktool", "skynet", "dangerous", "cyber threat", "physical attacks", "cyber stalking", "malvertizing", "android overlay", "malicious", "spyware", "tracking", "all octoseek", "threat" ], "references": [ "enterprise.cellebrite.com", "osint-j2.cellebrite.com", "nsopit-ibgmc.acs-inc.com", "https://cellebrite.com/en/federal-government/", "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en", "http://init-p01st.push.apple.com/bag [Apple Tracking]", "http://www.apple.com/certificateauthority/AppleAAI2CA.cer", "http://www.apple.com/certificateauthority/AppleAAICAG3.cer" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "Ransom:Win32/Cryptor", "display_name": "Ransom:Win32/Cryptor", "target": "/malware/Ransom:Win32/Cryptor" } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Civil Society", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 89, "FileHash-SHA1": 86, "FileHash-SHA256": 385, "domain": 92, "hostname": 324, "URL": 93 }, "indicator_count": 1069, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "825 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80944a3d1c9e36346e0c1", "name": "NSO Group Pegasus spyware used nefariously", "description": "", "modified": "2024-02-27T03:01:21.421000", "created": "2024-01-29T20:23:32.737000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": "65b5cbbbcb7a479db222f053", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4174, "URL": 9617, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6801, "hostname": 4314, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25400, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "825 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a59fe40c1e4412af5b5710", "name": "Qakbot Continues | DNSpionage | Gmail l Carnegie Mellon University", "description": "Qakbot continues to attack vulnerable devices; this attack affecting Chrome, Chromium, Google PlayStore - Redline Stealer, Gmail accounts.\n\nQakBot\u2019s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.", "modified": "2024-02-14T19:00:40.517000", "created": "2024-01-15T21:13:08.734000", "tags": [ "present jun", "scan endpoints", "all octoseek", "ipv4", "passive dns", "urls", "files", "reverse dns", "pittsburgh", "united", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "win32", "whois record", "ssl certificate", "threat roundup", "july", "communicating", "whois whois", "referrer", "contacted", "attack", "execution", "malware", "august", "copy", "april", "qakbot", "ursnif", "azorult", "hacktool", "metro", "banker", "keylogger", "malicious", "february", "mydoom-90", "worm", "cmu server", "caltech.edu", "gmail", "google attack", "google playstore", "chrome", "targeting", "carnegie mellon university", "algorithm", "v3 serial", "number", "issuer", "cus cnincommon", "rsa server", "ca lann", "stmi ouincommon", "validity", "key algorithm", "info", "first", "carnegie mellon", "server", "domain name", "domain record", "domain", "city", "orgid", "rtechhandle", "net128", "net1280000", "error", "dns replication", "date", "win32 exe", "winamp", "detections type", "name" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "128.2.42.10 'CMU' Carnegie Mellon University Server", "caltech.edu | Carnegie Mellon University", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "CVE-2022-26134", "http://matfyz.cz/ | phishing", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www.studentaffairs.cmu.edu", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "googlepassword.cmu.edu", "google.cmu.edu.", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 78, "FileHash-SHA256": 1270, "URL": 1188, "domain": 242, "hostname": 684, "CVE": 2, "CIDR": 1, "email": 2 }, "indicator_count": 3549, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a57ec1d13648277c52328a", "name": "SkyNet | CVE-2023-22518 | Found in https://get.overit.com/ (https://overit.com/)", "description": "", "modified": "2024-02-14T17:01:13.924000", "created": "2024-01-15T18:51:45.652000", "tags": [ "ssl certificate", "whois record", "whois whois", "contacted", "resolutions", "communicating", "apple", "historical ssl", "apple ios", "attempt goog", "core", "hacktool", "critical", "skynet", "execution", "tag count", "sat aug", "ioc search", "new ioc", "teams api", "contact", "threat report", "ip summary", "url summary", "summary", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65a56ee57692ef3c77d98790", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 62, "CVE": 1, "FileHash-MD5": 292, "FileHash-SHA1": 152, "FileHash-SHA256": 180, "domain": 77, "hostname": 129 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a56ee57692ef3c77d98790", "name": "Worm.Mydoom | CVE-2023-22518", "description": "Found in a device. https://get.overit.com/e3t/Ctc/DI+113/cf6br04/VVKMRH4Ycjj3W5S966p3LGhPzW4xGMq_50G7mtN6L2Zrr3q3npV1-WJV7CgH01W3tMk0S4lCfmBW4jcJrS2KcVyBW6Wnbzr2FLkBNW1XXqZZ3hNRDgW5n_5j37Bm5rgW4jR8V89fPhPcW8Kjy5v1jlxLrW1_tFCP3Lh-fKW8dt0D_5Zl--rW4bbVwL4VknldW3HNmcc8Lq3XZW2nCX1m1ZmnNfMKgp_w1Mw5XW3WDyRz7Qjn8TW6F_lCG3jwfqzW8JQF8l625KJcW8MS9Dk3SHgbwV9BL3Q4TKdzMW2LMzLr22jHz1W54nhTW22tBWbW7kW6Tg67tTPvW2ZQxLf7XHlPX38pr1", "modified": "2024-02-14T17:01:13.924000", "created": "2024-01-15T17:44:05.075000", "tags": [ "ssl certificate", "whois record", "whois whois", "contacted", "resolutions", "communicating", "apple", "historical ssl", "apple ios", "attempt goog", "core", "hacktool", "critical", "skynet", "execution", "tag count", "sat aug", "ioc search", "new ioc", "teams api", "contact", "threat report", "ip summary", "url summary", "summary", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 62, "CVE": 1, "FileHash-MD5": 292, "FileHash-SHA1": 152, "FileHash-SHA256": 180, "domain": 77, "hostname": 129 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a0194269f81650babf9b6c", "name": "Raspberry Robin | Hijacker | link: voyour-cams.xww.de | Monitoring", "description": "Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive.\nTo be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.\n\nBy using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.", "modified": "2024-02-10T15:03:45.065000", "created": "2024-01-11T16:37:22.751000", "tags": [ "ssl certificate", "whois record", "contacted", "threat roundup", "historical ssl", "december", "october", "august", "referrer", "execution", "raspberry robin", "ghost rat", "service", "dtrack", "download", "malware", "hijacker", "monitoring", "installer", "masquerading", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "parked domain", "parking crew", "malware hosting", "dga parking", "msie", "cmd", "worm", "dga malvertizing" ], "references": [ "voyour-cams.xww.de", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LokiBot", "display_name": "LokiBot", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "Roshtyak", "display_name": "Roshtyak", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1052.001", "name": "Exfiltration over USB", "display_name": "T1052.001 - Exfiltration over USB" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 83, "FileHash-SHA256": 3484, "URL": 7778, "domain": 2468, "hostname": 2348, "email": 2, "CVE": 1 }, "indicator_count": 16245, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65676fdedd4bf87319fcd14a", "name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/", "description": "", "modified": "2023-12-29T16:03:00.220000", "created": "2023-11-29T17:07:42.477000", "tags": [ "ssl certificate", "whois record", "contacted", "apple", "historical ssl", "referrer", "resolutions", "highly targeted", "execution", "password", "ratel", "core", "hacktool", "attack", "life", "android", "project", "chaos", "ransomexx", "quasar", "name verdict", "no data", "tag count", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag tag", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "beginstring", "mitre att", "null", "date", "unknown", "error", "span", "class", "generator", "critical", "body", "meta", "hybrid", "general", "click", "strings", "refresh", "tools", "ip summary", "url summary", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "malicious url", "phishing", "union", "bank", "traffic", "tor known", "tor relayrouter", "node tcp", "spammer", "anonymizer", "united", "firehol gozi", "cname", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnapple", "public server", "ecc ca", "g1 oapple", "validity", "public key", "info", "domain status", "server", "redacted for", "privacy tech", "privacy admin", "email", "registrar abuse", "country", "postal code", "code", "csc corporate", "domains", "registrar url", "registry domain", "contact phone", "registrar whois", "security", "dns replication", "servers", "passive dns", "urls", "creation date", "rsa cn", "ca g2", "search", "record value", "object", "certificate", "orgtechhandle", "apple computer", "orgtechref", "rauschenberg", "rtechhandle", "rtechref", "network", "registry arin", "country us", "domain", "lookups", "city", "orgid", "stevens creek", "city center", "dropped", "pe resource", "collections", "contacted urls", "stealer", "nanocore", "malicious", "installer", "neworder.doc", "et", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "setcookie geous", "cookie", "malware site", "malicious site", "genericm", "phishing site", "malware", "lazarus", "tulach", "tsara brashears", "targeting", "malvertizing", "ios", "icloud compromise", "apple support compromise", "apple app store compromise", "t-mobile", "metroby-tmo", "metro", "dgs", "qwest", "zombie devices", "python infostealer", "soc", "red", "galaxy watch", "gear s", "watch", "samsung galaxy", "app store", "gear s2", "gear sport", "gear s3", "active", "active2", "galaxy", "blacklist https", "tld count", "scan endpoints", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "verdict", "samsug", "galaxy watch", "registrar", "showing", "as43350 nforce", "united kingdom", "alexa top", "alexa" ], "references": [ "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "ocsp2.apple.com | IP 17.253.29.199", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "37.48.65.150 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.33.20.235 | command and control", "45.33.23.183 | command and control", "45.33.30.197 | command and control", "45.56.79.23 | command and control", "45.79.19.196 | command and control", "172.93.103.100 | command and control", "198.58.118.167 | command and control", "185.107.56.200 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.79.19.196 | command and control", "5.79.79.211 | command and control", "72.14.178.174 | command and control", "72.14.178.174 | command and control", "72.14.185.43 | command and control", "96.126.123.244 | command and control", "20.99.186.246 | command and contro", "103.246.145.111 | scanning host", "https://tulach.cc/ | phishing", "tulach.cc. | Malicious compromises \u2022 Critical", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "message.htm.com | malware ransomware spreader", "ussjc9-edge-bx-008.ts.apple.com | malware", "nr-data.net | Apple Private Data Collection", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "apple.com | malicious \u2022 geo tracking", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Nimnul", "display_name": "Nimnul", "target": null }, { "id": "Botnet Army", "display_name": "Botnet Army", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Telecommunications", "Public" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4559, "FileHash-MD5": 187, "FileHash-SHA1": 161, "FileHash-SHA256": 2628, "domain": 744, "hostname": 1598, "email": 11, "CVE": 1, "CIDR": 2 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "884 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a986b2f9afc18556b1181", "name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/", "description": "", "modified": "2023-12-29T16:03:00.220000", "created": "2023-12-02T02:37:31.842000", "tags": [ "ssl certificate", "whois record", "contacted", "apple", "historical ssl", "referrer", "resolutions", "highly targeted", "execution", "password", "ratel", "core", "hacktool", "attack", "life", "android", "project", "chaos", "ransomexx", "quasar", "name verdict", "no data", "tag count", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag tag", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "beginstring", "mitre att", "null", "date", "unknown", "error", "span", "class", "generator", "critical", "body", "meta", "hybrid", "general", "click", "strings", "refresh", "tools", "ip summary", "url summary", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "malicious url", "phishing", "union", "bank", "traffic", "tor known", "tor relayrouter", "node tcp", "spammer", "anonymizer", "united", "firehol gozi", "cname", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnapple", "public server", "ecc ca", "g1 oapple", "validity", "public key", "info", "domain status", "server", "redacted for", "privacy tech", "privacy admin", "email", "registrar abuse", "country", "postal code", "code", "csc corporate", "domains", "registrar url", "registry domain", "contact phone", "registrar whois", "security", "dns replication", "servers", "passive dns", "urls", "creation date", "rsa cn", "ca g2", "search", "record value", "object", "certificate", "orgtechhandle", "apple computer", "orgtechref", "rauschenberg", "rtechhandle", "rtechref", "network", "registry arin", "country us", "domain", "lookups", "city", "orgid", "stevens creek", "city center", "dropped", "pe resource", "collections", "contacted urls", "stealer", "nanocore", "malicious", "installer", "neworder.doc", "et", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "setcookie geous", "cookie", "malware site", "malicious site", "genericm", "phishing site", "malware", "lazarus", "tulach", "tsara brashears", "targeting", "malvertizing", "ios", "icloud compromise", "apple support compromise", "apple app store compromise", "t-mobile", "metroby-tmo", "metro", "dgs", "qwest", "zombie devices", "python infostealer", "soc", "red", "galaxy watch", "gear s", "watch", "samsung galaxy", "app store", "gear s2", "gear sport", "gear s3", "active", "active2", "galaxy", "blacklist https", "tld count", "scan endpoints", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "verdict", "samsug", "galaxy watch", "registrar", "showing", "as43350 nforce", "united kingdom", "alexa top", "alexa" ], "references": [ "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "ocsp2.apple.com | IP 17.253.29.199", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "37.48.65.150 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.33.20.235 | command and control", "45.33.23.183 | command and control", "45.33.30.197 | command and control", "45.56.79.23 | command and control", "45.79.19.196 | command and control", "172.93.103.100 | command and control", "198.58.118.167 | command and control", "185.107.56.200 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.79.19.196 | command and control", "5.79.79.211 | command and control", "72.14.178.174 | command and control", "72.14.178.174 | command and control", "72.14.185.43 | command and control", "96.126.123.244 | command and control", "20.99.186.246 | command and contro", "103.246.145.111 | scanning host", "https://tulach.cc/ | phishing", "tulach.cc. | Malicious compromises \u2022 Critical", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "message.htm.com | malware ransomware spreader", "ussjc9-edge-bx-008.ts.apple.com | malware", "nr-data.net | Apple Private Data Collection", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "apple.com | malicious \u2022 geo tracking", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Nimnul", "display_name": "Nimnul", "target": null }, { "id": "Botnet Army", "display_name": "Botnet Army", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Telecommunications", "Public" ], "TLP": "white", "cloned_from": "65676fdedd4bf87319fcd14a", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4559, "FileHash-MD5": 187, "FileHash-SHA1": 161, "FileHash-SHA256": 2628, "domain": 744, "hostname": 1598, "email": 11, "CVE": 1, "CIDR": 2 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "884 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65610ac30744fcf636cc2a67", "name": "http://errors.dropopenobject.com/mac-error.gif?app=60094&campaign=", "description": "http://errors.dropopenobject.com/mac-error.gif?app=60094&campaign=2929&errtype=updatedownloaderinfo&funcname=updatedownloader::main&ibic=30b1f00119b0edae535883513aec9512&msg=start&os=mac_10_16&rnd=1663869393157734&ver=upd_01-27&verifier=db079154c6b8d1935cf1cf6cda123e25", "modified": "2023-12-24T19:00:45.425000", "created": "2023-11-24T20:42:43.965000", "tags": [ "passive dns", "urls", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "none file", "type textplain", "cyber threat", "united", "team", "covid19", "phishtank", "engineering", "phishing site", "malware site", "malware", "phishing", "malicious", "bank", "zeus", "zbot", "tinba", "stealer", "miner", "ponmocup", "ave maria", "artemis", "nymaim", "emotet", "redline stealer", "qakbot", "asyncrat", "cobalt strike", "suppobox", "ramnit", "ransomware", "matsnu", "kraken", "simda", "citadel", "vawtrak", "tag count", "mon oct", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "netsky", "team malware", "blacklist http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 222, "FileHash-SHA1": 122, "FileHash-SHA256": 2023, "URL": 6912, "domain": 1503, "hostname": 1755, "CVE": 1 }, "indicator_count": 12538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "889 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65610ac149b19048e822118b", "name": "http://errors.dropopenobject.com/mac-error.gif?app=60094&campaign=", "description": "http://errors.dropopenobject.com/mac-error.gif?app=60094&campaign=2929&errtype=updatedownloaderinfo&funcname=updatedownloader::main&ibic=30b1f00119b0edae535883513aec9512&msg=start&os=mac_10_16&rnd=1663869393157734&ver=upd_01-27&verifier=db079154c6b8d1935cf1cf6cda123e25", "modified": "2023-12-24T19:00:45.425000", "created": "2023-11-24T20:42:41.302000", "tags": [ "passive dns", "urls", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "none file", "type textplain", "cyber threat", "united", "team", "covid19", "phishtank", "engineering", "phishing site", "malware site", "malware", "phishing", "malicious", "bank", "zeus", "zbot", "tinba", "stealer", "miner", "ponmocup", "ave maria", "artemis", "nymaim", "emotet", "redline stealer", "qakbot", "asyncrat", "cobalt strike", "suppobox", "ramnit", "ransomware", "matsnu", "kraken", "simda", "citadel", "vawtrak", "tag count", "mon oct", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "netsky", "team malware", "blacklist http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 222, "FileHash-SHA1": 122, "FileHash-SHA256": 2023, "URL": 6912, "domain": 1503, "hostname": 1755, "CVE": 1 }, "indicator_count": 12538, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "889 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6544cbbca7610e92e4262c47", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Targeting", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-11-03T10:30:20.965000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "654140bae73f795aa914e8de", "export_count": 108, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "914 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654140bae73f795aa914e8de", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-31T18:00:26.439000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "65401d73e96dd70037ed22a7", "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "914 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "45.33.30.197 | command and control", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "https://www.maventure.ca/ [spyware]", "45.79.19.196 | command and control", "ppa.launchpad.net [Apple open use]", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE", "Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H IDS Detections Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE Probe MS17-010 (Generic Flags) Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , WannaCry_Ransomware_Gen , WannaDecryptor , stack_string , MS17_010_WanaCry_worm More Alerts nids_exploit", "googlepassword.cmu.edu", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "http://www.apple.com/certificateauthority/AppleAAI2CA.cer", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "ussjc9-edge-bx-008.ts.apple.com | malware", "cellebrite.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "128.2.42.10 'CMU' Carnegie Mellon University Server", "alohatube.xyz", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "NJRat Alerts: http_request reads_memory_remote_process network_cnc_https_generic reads_self", "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "NJRat IDS Detections: Observed Telegram API Domain (api .telegram .org in TLS SNI)", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "45.33.2.79 | command and control", "NJRat Domains Contacted pastebin.com api.telegram.org", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://tulach.cc/ | phishing", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "prometheus.shorty.cicloinfinito.com", "http://www.apple.com/certificateauthority/AppleAAICAG3.cer", "bell.ca", "172.93.103.100 | command and control", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net", "https://cellebrite.com/en/federal-government/", "https://www.nsogroup.com", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S", "https://www.malwarebytes.com/emotet", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "apple.com | malicious \u2022 geo tracking", "http://mail.thyrsus.com/ [phishing]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "https://www.esurance.com/", "45.33.20.235 | command and control", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "caltech.edu | Carnegie Mellon University", "deviceinbox.com", "EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.105\", \"dst_port\": 49317, \"sid\": 2025650, \"date\": \"2020/06/18 11:39:48\", \"dst_ip\": \"192.168.56.103\" }, \"type\": \"ioc\", \"description\": null }, { \"category\": \"suricata\", \"ioc\": { \"src_port\": 445, \"name\": \"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.108\", \"dst_port\": 49324, ", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "45.56.79.23 | command and control", "103.246.145.111 | scanning host", "NJRat IDS Detections: Telegram API Certificate Observed", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy", "ocsp2.apple.com | IP 17.253.29.199", "support.apple.com [nefarious]", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "https://www.nsogroup.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "caselaw.lawlink.com", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt", "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "45.33.23.183 | command and control", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nsopit-ibgmc.acs-inc.com", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "NJRat Yara Detections: ByteCode_MSIL_Backdoor_AsyncRAT", "96.126.123.244 | command and control", "https://any.run/malware-trends/quasar", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f", "https://en.m.wikipedia.org \u203a wiki NSO Group", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "NJRat Alerts: suspicious_command_tools antidebug_guardpages antisandbox_sleep", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "http://matfyz.cz/ | phishing", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "www.studentaffairs.cmu.edu", "NJRat IP\u2019s Contacted 149.154.166.110 172.66.171.73", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "1click-uninstaller.informer.com [Apple - access PE]", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "ww.google.com.uy", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "NJRat Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert", "message.htm.com [ message stealer]", "deviceinbox.com [malware hosting]", "72.14.178.174 | command and control", "lionhearted.exe: FileHash-SHA256 04f2162c8eb322c6365d384d9600054f97c620f86d06c9ee0b4ea283978192b5", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "https://tulach.cc/ [malware engineering | phishing]", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "37.48.65.150 | command and control", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "Backdoor.Win32.Pushdo.s Checkin", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "message.htm.com | malware ransomware spreader", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "CVE-2022-26134", "cbi.com", "321Survive.exe", "training001.blackbagtech.com [opportunity?]", "72.14.185.43 | command and control", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "5.79.79.211 | command and control", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "enterprise.cellebrite.com", "45.33.18.44 | command and control", "nr-data.net | Apple Private Data Collection", "192.168.122.200 BGP: Simulating Inter-network Dynamic Routing", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "Win.Packed.njRAT-10002074-1", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "voyour-cams.xww.de", "https://timersys.com/ [ phishing | deb opera.com]", "google.cmu.edu.", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | iOS unlocker | password cracker", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "185.107.56.200 | command and control", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "198.58.118.167 | command and control", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Name Servers PDNS1.ULTRADNS.NET Org", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "Trojans: 149.154.166.110 command_and_control (build your own telegram) 208.95.112.1 command_and_control", "NJRat IDS Detections: Telegram API Domain in DNS Lookup", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ Akamai rank: #2475\t URL https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff9", "20.99.186.246 | command and contro", "http://init-p01st.push.apple.com/bag [Apple Tracking]", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "tulach.cc. | Malicious compromises \u2022 Critical", "NJRat Alerts: hardware_id_profiling network_cnc_https_pastesite persistence_autorun", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "NJRat Alerts: dynamic_function_loading encrypted_ioc registers_vectored_exception_handler", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "enterprise.cellebrite.com [ digitalclues.com]", "osint-j2.cellebrite.com", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "NJRat Alerts: windows_defender_powershell network_document_file powershell_command_suspicious", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "NSO Group" ], "malware_families": [ "Backdoor:win32/mydoom", "Worm:win32/benjamin", "Other:malware-gen\\ [trj]", "Trojan.wanna/wannacry", "Ramnit", "Tulach", "Quasar", "Roshtyak", "Lokibot", "Trojandownloader:win32/cutwail.bv", "Pegasus", "Win32:crypterx-gen\\ [trj]", "Eternalblue", "Androidoverlaymalware - mob-s0012", "Slf:msil/pstanomaly.a", "Win32.renos/artro", "Alf:heraklezeval:trojan:win32/neurevt", "Nanocore rat", "Lockbit", "Alf:trojan:powershell/dynamicloader", "Sabey", "Ransom:win32/makop", "Backdoor:win32/berbew", "W32/wannacryptor.491a!tr.ransom", "Lolkek", "Win.trojan.generic-9897526-0", "Hacktool", "Trojanspy:win32/nivdort.de", "Win.trojan.generic-9957168-0", "Neworder.doc", "Win.trojan.pushdo-20", "Skynet", "Emotet", "Win.trojan.razy-10016933-0", "Makop", "I-worm/bagle.qe", "Win.trojan.generic-9908396-0", "Win.trojan.crypted-30", "Lumma stealer", "Raspberry robin", "Win.malware.renos-10003934-0", "Botnet army", "Nids", "Win.malware.score-6985947-1", "Quasar rat", "Generic", "Ransomexx", "Cve-2022-26134", "Ratel", "Formbook", "Win.adware.relevantknowledge-9821121-0", "Njrat", "Ransom:win32/cryptor", "Alf:trojan:win32/formbook.f!mtb", "Worm:win32/bloored.e", "World media", "Malware packed", "Ransomexx (elf)", "Et", "Win.trojan.knigsfot-125", "Pws:win32/xport", "Alf:trojan:win32/formbook", "Trojandownloader:win32/cutwail.bs", "Cycbot", "Worm.bagle-44", "#lowfi:aggr:hstr:win32/possiblekeylogger.a", "Alf:pws:msil/stealgen.gc!mtb", "Private internet access", "Maltiverse", "Ghost rat", "Artro", "Trojanspy", "Tulach malware", "Cobalt strike", "Kryptik", "Qakbot", "Alf:trojandownloader:win32/vadokrist.a", "Nimnul", "Win.packed.zpack-10013367-0", "Dark power", "Amadey" ], "industries": [ "Insurance", "Judicial", "Civilian society", "Government", "Telecom", "Healthcare", "Public", "Legal", "Civil society", "Telecommunications", "Technology", "Education", "Health" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69efc7a6778f84c179d27073", "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]", "description": "", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:31:34.221000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "69efc567ae24b8285a71099d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1039, "hostname": 868, "domain": 687, "URL": 2226, "FileHash-MD5": 133, "FileHash-SHA1": 96, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5064, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69efc567ae24b8285a71099d", "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media", "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:21:59.824000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1037, "hostname": 865, "domain": 685, "URL": 2224, "FileHash-MD5": 131, "FileHash-SHA1": 94, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5051, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69de16ad2eff99041dc0798f", "name": "CAPE Sandbox", "description": "The full text of the full report on the events of 9 January 2016:-17 February 2017.. and the details will appear on Facebook, Twitter, Instagram and iPlayer, as well as BBC News.Publicly sourced data.", "modified": "2026-05-14T13:12:04.466000", "created": "2026-04-14T10:27:57.413000", "tags": [ "default", "win1", "acrongl integ", "adc4240758", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "angsana new", "accept", "shutdown", "bits", "users", "files c", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "settings c", "users c", "file type", "ascii text", "html document", "ascii", "smtp", "united", "pe file", "ms windows", "found", "pe32", "exploit", "window", "mydoom", "malicious", "next", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 294, "FileHash-SHA1": 122, "FileHash-SHA256": 1747, "URL": 5866, "hostname": 1673, "domain": 432, "CVE": 1, "email": 2 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69de16a3c7cc241533da1de7", "name": "CAPE Sandbox", "description": "The full text of the full report on the events of 9 January 2016:-17 February 2017.. and the details will appear on Facebook, Twitter, Instagram and iPlayer, as well as BBC News.Publicly sourced data.", "modified": "2026-05-14T11:12:02.310000", "created": "2026-04-14T10:27:47.855000", "tags": [ "default", "win1", "acrongl integ", "adc4240758", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "angsana new", "accept", "shutdown", "bits", "users", "files c", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "settings c", "users c", "file type", "ascii text", "html document", "ascii", "smtp", "united", "pe file", "ms windows", "found", "pe32", "exploit", "window", "mydoom", "malicious", "next", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 346, "FileHash-SHA1": 338, "FileHash-SHA256": 859, "URL": 1100, "hostname": 374, "domain": 30 }, "indicator_count": 3047, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d9b0e549af1aae2975ebeb", "name": "Virtual Servers \u2022 Tulach \u2022 Eternal Blue", "description": "Interesting. Further research required. \n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+\n\n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff90+IP:+Sweden%0A\\\\xfff0\\\\xff9f\\\\xff97\\\\xffba+Country:+SE+", "modified": "2026-05-11T02:31:44.768000", "created": "2026-04-11T02:24:37.102000", "tags": [ "related pulses", "apple", "imac", "itunes", "tulach", "active", "vercel", "ms windows", "intel", "yara rule", "lredmond", "rsds", "write c", "tls sni", "write", "install", "rijndael", "malware", "accept", "self", "mtb apr", "lowfi", "backdoor", "antigua", "trojandropper", "all ipv4", "urls", "prometheus", "files", "files ip", "address", "united", "unknown aaaa", "cname", "tags", "keepalived", "ip address", "red hat", "nat node", "gns3", "firefox", "ovn network", "instances", "forum", "linux", "dynamicloader", "exclusionpath", "medium", "high", "telegram api", "windows", "f rl", "highest sc", "guard", "april", "powershell", "c mar", "virtool", "c jan", "c dec", "urls show", "url hostname", "ransom", "click", "title", "njrat", "as64521i", "bird", "bgp", "virtual private", "virtual servers", "et exploit", "ms17010 echo", "response", "echo response", "asnone", "probe ms17010", "nids", "m2 ms17010", "regsetvalueexa", "service", "wannacry", "dock", "unknown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "mitre att", "defense evasion", "sha1", "sha256", "size", "pattern match", "ascii text", "path", "stop", "hybrid", "general", "local", "twitter", "strings", "core", "telegram", "tools" ], "references": [ "Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H IDS Detections Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE Probe MS17-010 (Generic Flags) Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , WannaCry_Ransomware_Gen , WannaDecryptor , stack_string , MS17_010_WanaCry_worm More Alerts nids_exploit", "https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ Akamai rank: #2475\t URL https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff9", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f", "Trojans: 149.154.166.110 command_and_control (build your own telegram) 208.95.112.1 command_and_control", "prometheus.shorty.cicloinfinito.com", "Win.Packed.njRAT-10002074-1", "NJRat IDS Detections: Telegram API Domain in DNS Lookup", "NJRat IDS Detections: Observed Telegram API Domain (api .telegram .org in TLS SNI)", "NJRat IDS Detections: Telegram API Certificate Observed", "NJRat Yara Detections: ByteCode_MSIL_Backdoor_AsyncRAT", "NJRat Alerts: hardware_id_profiling network_cnc_https_pastesite persistence_autorun", "NJRat Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert", "NJRat Alerts: windows_defender_powershell network_document_file powershell_command_suspicious", "NJRat Alerts: suspicious_command_tools antidebug_guardpages antisandbox_sleep", "NJRat Alerts: dynamic_function_loading encrypted_ioc registers_vectored_exception_handler", "NJRat Alerts: http_request reads_memory_remote_process network_cnc_https_generic reads_self", "NJRat IP\u2019s Contacted 149.154.166.110 172.66.171.73", "NJRat Domains Contacted pastebin.com api.telegram.org", "192.168.122.200 BGP: Simulating Inter-network Dynamic Routing", "EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.105\", \"dst_port\": 49317, \"sid\": 2025650, \"date\": \"2020/06/18 11:39:48\", \"dst_ip\": \"192.168.56.103\" }, \"type\": \"ioc\", \"description\": null }, { \"category\": \"suricata\", \"ioc\": { \"src_port\": 445, \"name\": \"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.108\", \"dst_port\": 49324, " ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "United States of America", "China" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908396-0", "display_name": "Win.Trojan.Generic-9908396-0", "target": null }, { "id": "Win.Trojan.Crypted-30", "display_name": "Win.Trojan.Crypted-30", "target": null }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Win.Malware.Score-6985947-1", "display_name": "Win.Malware.Score-6985947-1", "target": null }, { "id": "ALF:PWS:MSIL/Stealgen.GC!MTB", "display_name": "ALF:PWS:MSIL/Stealgen.GC!MTB", "target": null }, { "id": "Win.Packed.Zpack-10013367-0", "display_name": "Win.Packed.Zpack-10013367-0", "target": null }, { "id": "ALF:Trojan:Win32/FormBook.F!MTB", "display_name": "ALF:Trojan:Win32/FormBook.F!MTB", "target": null }, { "id": "Win.Malware.Renos-10003934-0", "display_name": "Win.Malware.Renos-10003934-0", "target": null }, { "id": "Win.Trojan.Razy-10016933-0", "display_name": "Win.Trojan.Razy-10016933-0", "target": null }, { "id": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A", "display_name": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A", "target": null }, { "id": "NJRat", "display_name": "NJRat", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null }, { "id": "W32/WannaCryptor.491A!tr.ransom", "display_name": "W32/WannaCryptor.491A!tr.ransom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1144", "name": "Gatekeeper Bypass", "display_name": "T1144 - Gatekeeper Bypass" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [ "Telecommunications", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 556, "domain": 206, "URL": 863, "FileHash-SHA256": 1589, "FileHash-MD5": 472, "FileHash-SHA1": 376, "SSLCertFingerprint": 11, "email": 1 }, "indicator_count": 4074, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d3532c76eb3bf5edd9609b", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:08.181000", "created": "2026-04-06T06:31:08.181000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d3532a6537880f6e2c68dc", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:06.730000", "created": "2026-04-06T06:31:06.730000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686df81130f94fff809dd8b7", "name": "T-Mobile Service- 23.185.0.2 - Mirai", "description": "", "modified": "2025-08-08T04:05:03.809000", "created": "2025-07-09T05:03:13.536000", "tags": [ "germany unknown", "passive dns", "invalid url", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "frankfurt", "main", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr11", "validity", "public key", "info", "south korea", "united", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "high", "as701 verizon", "malware", "copy", "name jim", "zemlin name", "letterman dr", "address bldg", "d ste", "date", "dnssec", "record value", "emails", "address", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jul", "present showing", "entries related", "domains show", "present jun", "search", "enom", "creation date", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 178, "FileHash-SHA1": 180, "FileHash-SHA256": 2435, "hostname": 644, "domain": 603, "URL": 585, "email": 3 }, "indicator_count": 4628, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68635826ef3c26c8f6546ad5", "name": "Trojan.Mybot-12000 | Parking Crew - Feebs Worm |", "description": "Feebs expansion didn\u2019t pulse the correct results. \nworm.feebs.ae \n#identified #active\nExpanded. Parking crews:\n\u2022 virus:Win32/Madang.A\n\u2022 Trojan.Mybot-12000\n\u2022 Win.Worm.Eggnog-6\n\u2022 Unruy\n\u2022 Worm.Picsys\n\u2022 worm:Win32/Mydoom.O!backdoor\n\u2022 Unruy\n\u2022 trojan:Win32/Phishbank.A\n\u2022 Win32:MultiPlug-ADL\\ [Adw]\n\u2022 DotNET_Crypto_Obfuscator\n\u2022 Worm.Feebs.AE Blocked by Quad9 - IRCbot \u2022 worm.feebs.ae \u2022 #dga #running_webserver #feebs #trojan #spy #bot #ransom #virtool #irc #backfdoor #worm #dropper #banker #registrarabuse #droppedconnectionstoday #operation #data_selling #binary #infection #pointing #backdoor #domain_prefix #trojan #parkingcrew # domain #abuse #multi compromised #ping +\u2026 more\n\n(Cannot annotate)", "modified": "2025-07-31T03:00:41.573000", "created": "2025-07-01T03:38:14.229000", "tags": [ "type name", "win32 exe", "graph summary", "search", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "entries", "indicator", "quad9", "ircbot", "ck ids", "t1140", "information", "t1060", "run keys", "startup", "folder" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 201, "FileHash-SHA1": 196, "FileHash-SHA256": 2723, "URL": 82, "domain": 183, "hostname": 439 }, "indicator_count": 3824, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68635823896b29555651547d", "name": "Trojan.Mybot-12000 | Parking Crew - Feebs Worm |", "description": "Feebs expansion didn\u2019t pulse the correct results. \nworm.feebs.ae \n#identified #active\nExpanded. Parking crews:\n\u2022 virus:Win32/Madang.A\n\u2022 Trojan.Mybot-12000\n\u2022 Win.Worm.Eggnog-6\n\u2022 Unruy\n\u2022 Worm.Picsys\n\u2022 worm:Win32/Mydoom.O!backdoor\n\u2022 Unruy\n\u2022 trojan:Win32/Phishbank.A\n\u2022 Win32:MultiPlug-ADL\\ [Adw]\n\u2022 DotNET_Crypto_Obfuscator\n\u2022 Worm.Feebs.AE Blocked by Quad9 - IRCbot \u2022 worm.feebs.ae \u2022 #dga #running_webserver #feebs #trojan #spy #bot #ransom #virtool #irc #backfdoor #worm #dropper #banker #registrarabuse #droppedconnectionstoday #operation #data_selling #binary #infection #pointing #backdoor #domain_prefix #trojan #parkingcrew # domain #abuse #multi compromised #ping +\u2026 more", "modified": "2025-07-31T03:00:41.573000", "created": "2025-07-01T03:38:11.946000", "tags": [ "type name", "win32 exe", "graph summary", "search", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "entries", "indicator", "quad9", "ircbot", "ck ids", "t1140", "information", "t1060", "run keys", "startup", "folder" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 201, "FileHash-SHA1": 196, "FileHash-SHA256": 2723, "URL": 82, "domain": 183, "hostname": 439 }, "indicator_count": 3824, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ayende.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ayende.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780312205.72676 }