{
"type": "Domain",
"indicator": "binginternal.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/binginternal.com",
"alexa": "http://www.alexa.com/siteinfo/binginternal.com",
"indicator": "binginternal.com",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 995361754,
"indicator": "binginternal.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69fc1b9d02d8ebe162913b74",
"name": "Credit: OctoSeek -2yrs ago [Zombie.A \u2022 Bayrob in fake malware information website.]",
"description": "",
"modified": "2026-05-07T05:03:23.418000",
"created": "2026-05-07T04:57:01.616000",
"tags": [
"ukraine",
"referrer",
"deploys fake",
"uue files",
"fsociety",
"target colombia",
"judiciary",
"financial",
"public",
"tools",
"sector",
"mexico",
"aka xloader",
"html",
"html info",
"title",
"meta tags",
"google tag",
"utc gnr5gzhd545",
"utc na",
"utc aw944900006",
"utc linkedin",
"formbook",
"accept",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"apache",
"so funny",
"click",
"urls",
"passive dns",
"http",
"unique",
"scan endpoints",
"all octoseek",
"url http",
"ip address",
"related nids",
"code",
"united",
"as54113",
"unknown",
"aaaa",
"as15169 google",
"as46691",
"status",
"cname",
"search",
"whitelisted",
"body",
"date",
"msil",
"meta",
"third-party-cookies",
"iframes",
"external-resources",
"text/html",
"trackers",
"end game",
"name servers",
"select contact",
"domain holder",
"nexus category",
"creation date",
"showing",
"date hash",
"avast avg",
"trojan",
"mtb may",
"dynamicloader",
"high",
"medium",
"yara detections",
"sniffs",
"attempts",
"alternate data",
"stream",
"a foreign",
"cultureneutral",
"get na",
"show",
"delete c",
"entries",
"cape",
"delete",
"default",
"copy",
"nivdort",
"write",
"trojanspy",
"bayrob",
"malware",
"eagle eyed",
"nonads",
"path max",
"age86400 set",
"cookie",
"script urls",
"type",
"script script",
"win32 exe",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"exe32",
"compiler",
"vs98",
"contained",
"simplified",
"info compiler",
"products",
"sp6 build",
"header intel",
"name md5",
"language",
"not found",
"rules not",
"mitre",
"info ids",
"found sigma",
"found",
"files not",
"found network",
"getlasterror",
"icons library",
"os2 executable",
"files",
"file type",
"kb file",
"name",
"type name",
"ip detections",
"country",
"gandi sas",
"dynadot",
"enom",
"namecheap",
"dynadot inc",
"namecheap inc",
"dynadot llc",
"domains",
"tucows domains",
"melbourne it",
"historical ssl",
"realteck audio",
"problems",
"lemon duck",
"iocs",
"sneaky server",
"replacement",
"unauthorized",
"windows",
"windir",
"samplepath",
"user",
"process",
"created",
"shell commands",
"windefend",
"created bus",
"tree",
"registry keys",
"reports upgrade",
"keys set",
"upgradestart",
"dword",
"data registry",
"keys deleted",
"reports",
"get http",
"request",
"http requests",
"ip traffic",
"dns resolutions",
"resolutions",
"mitre att",
"defense evasion",
"ta0007 command",
"control ta0011",
"impact ta0034",
"impact ta0040",
"graph",
"bundled files",
"name file",
"contacted ip",
"users",
"number",
"ascii text",
"crlf line",
"database",
"english",
"tue jun",
"installer",
"template",
"tulach",
"rexxfield",
"milesit",
"cp",
"self deleting",
"stuff",
"copying",
"packages found",
"targeting major",
"injects ads",
"into search",
"results",
"overlay",
"text",
"win32 dll",
"javascript",
"db2maestro",
"open ports",
"ipv4",
"pulse submit",
"url analysis",
"expiration date",
"hostname",
"next",
"ten process",
"utc facebook",
"utc google",
"title ten",
"blog meta",
"tags",
"elastic blog",
"bing ads",
"as8068",
"certificate",
"otx telemetry",
"ref b",
"record value",
"emails",
"please",
"win32",
"x msedge",
"pulse pulses",
"no data",
"tag count",
"analyzer threat",
"url summary",
"ip summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"alexa top",
"safe site",
"mail spammer",
"million",
"malware site",
"phishing site",
"malicious site",
"bank",
"fuery",
"unsafe",
"malicious",
"alexa",
"zbot",
"asn as16625",
"akamai",
"less",
"is2osecurity",
"domain name",
"active",
"as21342",
"domain",
"location israel",
"asn as1680",
"invalid url",
"body html",
"head title",
"title head",
"body h1",
"reference",
"log id",
"gmtn",
"digicert tls",
"rsa sha256",
"tls web",
"full name",
"digicert inc",
"organization",
"district",
"columbia",
"false",
"as20940",
"as16625 akamai",
"as8987 amazon",
"moved",
"as1680 cellcom",
"alerts",
"related pulses",
"guard",
"dynamic",
"reads",
"https link",
"as8075",
"record type",
"ttl value",
"redacted for",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"server",
"email",
"office open",
"ms word",
"document",
"xml document",
"xml spreadsheet",
"email trash",
"rich text",
"pdf tripwire",
"fall",
"whois lookups",
"contact email",
"blind eagle",
"brian sabey"
],
"references": [
"https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png",
"https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc",
"Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
"Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77",
"Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320",
"Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect",
"Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile",
"IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden",
"Alerts: cape_detected_threat cape_extracted_content",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
"TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c",
"Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
"Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
"Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120",
"Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net",
"Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net",
"https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
"trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758",
"Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019",
"Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038",
"Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis",
"Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001",
"Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022",
"Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001",
"Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052",
"Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003",
"Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus",
"Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
"Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
"Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP",
"http://Object.prototype.hasOwnProperty.call",
"Tulach! It's been a minute - 114.114.114.114",
"What's going on here judiciary? Karen - cisa.gov? e.final",
"f.search schema.org t.final",
"ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov",
"[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
"[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
"[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml",
"Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window",
"https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net",
"Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV"
],
"public": 1,
"adversary": "Blind Eagle",
"targeted_countries": [
"United States of America",
"Colombia",
"Netherlands",
"Israel"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort.CW",
"display_name": "TrojanSpy:Win32/Nivdort.CW",
"target": "/malware/TrojanSpy:Win32/Nivdort.CW"
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "trojan.bayrob/lazy",
"display_name": "trojan.bayrob/lazy",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0030",
"name": "Defense Evasion",
"display_name": "TA0030 - Defense Evasion"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6683aae863ba601bac1a28b5",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1167,
"FileHash-SHA1": 738,
"FileHash-SHA256": 3074,
"URL": 1019,
"domain": 1640,
"hostname": 973,
"email": 12,
"SSLCertFingerprint": 2,
"URI": 2
},
"indicator_count": 8627,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a9cd444aa144401d0c4988",
"name": "Pools Open",
"description": "",
"modified": "2026-04-15T19:21:28.851000",
"created": "2026-03-05T18:36:52.014000",
"tags": [
"Timothy Pool",
"Christopher Pool",
"Pool's Closed"
],
"references": [
"Pool Closed",
"Pool's Closed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"ad fraud"
],
"TLP": "white",
"cloned_from": "5fa57698ac0f6638b7b9a8ba",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 8098,
"URL": 23428,
"hostname": 9592,
"domain": 4727,
"SSLCertFingerprint": 22,
"FileHash-MD5": 696,
"FileHash-SHA1": 457,
"CIDR": 78,
"email": 3,
"CVE": 2
},
"indicator_count": 47103,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "46 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68db395368d6c4042517f3f3",
"name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!",
"description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.",
"modified": "2025-12-27T15:01:22.545000",
"created": "2025-09-30T01:58:43.592000",
"tags": [
"http traffic",
"match info",
"http get",
"info performs",
"dns query",
"https http",
"mitre att",
"evasion ta0005",
"creates",
"info",
"oc0006 http",
"wininet c0005",
"resolved ips",
"get http",
"html document",
"unicode text",
"dynamicloader",
"fe ff",
"medium",
"x00bx00",
"uswv",
"k uswv",
"search",
"high",
"delete c",
"yara detections",
"redline",
"guard",
"write",
"united",
"present sep",
"aaaa",
"passive dns",
"urls",
"next associated",
"found",
"x content",
"hacktool",
"trojan",
"error",
"lowfi",
"win32",
"worm",
"ip address",
"mtb apr",
"ransom",
"virtool",
"ain add",
"directui",
"element",
"classinfobase",
"ccbase",
"hwndhost",
"yara rule",
"hpavvalue",
"qaejh",
"name servers",
"cryp",
"emails",
"next related",
"domain related",
"no expiration",
"url http",
"url https",
"indicator role",
"hostname",
"email",
"present jun",
"present aug",
"present jul",
"servers",
"title",
"encrypt",
"altsvc h3",
"date tue",
"acceptranges",
"reportto",
"server",
"gmt expires",
"gmt contenttype",
"script",
"expiresthu",
"maxage63072000",
"pragma",
"google safe",
"unknown ns",
"files",
"location united",
"asn as15169",
"trojandropper",
"susp",
"creation date",
"asn as133618",
"tags",
"related tags",
"indicator facts",
"backdoor",
"ipv4 add",
"click",
"artro",
"target saver",
"trojanspy",
"reverse dns",
"america flag",
"443 ma2592000",
"hostname add",
"verdict",
"present mar",
"present jan",
"present dec",
"present apr",
"ipv4",
"type indicator",
"role title",
"related pulses",
"iocs",
"moved",
"downloads",
"apple",
"microsoft",
"hexagonsystem",
"mastadon",
"status",
"twitter",
"gmt content",
"easyredir cache",
"v4 add",
"redacted for",
"privacy tech",
"privacy admin",
"registrar abuse",
"available from",
"algorithm",
"key identifier",
"x509v3 subject",
"entity",
"code",
"date",
"dnssec",
"showing",
"unknown aaaa",
"sha256",
"sha1",
"ascii text",
"ck id",
"show technique",
"ck matrix",
"meta",
"hybrid",
"general",
"local",
"path",
"strings",
"copy md5",
"copy sha1",
"copy sha256",
"certificate"
],
"references": [
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"mastodon.social",
"https://families.google/intl/pt-PT_ALL/familylink/",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"https://discuss.ai.google.dev/c/gemma/10",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"https://m.bigwetbutts.com/ tmi",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Mirai: simswap.in",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"target": null
},
{
"id": "Win.Ransomware.Bitman-9862733-0",
"display_name": "Win.Ransomware.Bitman-9862733-0",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Target Saver",
"display_name": "Target Saver",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Hacktool",
"display_name": "Hacktool",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Media",
"Legal",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2964,
"hostname": 1164,
"URL": 4334,
"domain": 956,
"FileHash-MD5": 476,
"FileHash-SHA1": 451,
"CVE": 1,
"email": 20,
"SSLCertFingerprint": 2
},
"indicator_count": 10368,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 148,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "5fa57698ac0f6638b7b9a8ba",
"name": "Pool's Closed",
"description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.",
"modified": "2025-12-27T05:02:34.910000",
"created": "2020-11-06T16:15:20.139000",
"tags": [
"Timothy Pool",
"Christopher Pool",
"Pool's Closed"
],
"references": [
"Pool Closed",
"Pool's Closed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"ad fraud"
],
"TLP": "white",
"cloned_from": null,
"export_count": 61,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 4,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scnrscnr",
"id": "126475",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 8098,
"URL": 23426,
"hostname": 9590,
"domain": 4727,
"SSLCertFingerprint": 22,
"FileHash-MD5": 696,
"FileHash-SHA1": 457,
"CIDR": 78,
"email": 3,
"CVE": 2
},
"indicator_count": 47099,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 133,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68feb98a8c1b75b4431a3e8e",
"name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?",
"description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.",
"modified": "2025-11-25T20:05:31.749000",
"created": "2025-10-27T00:15:06.191000",
"tags": [
"html internet",
"html document",
"ascii text",
"language",
"cve202323397",
"iframe tags",
"tag manager",
"gtmkvjvztk",
"anchor hrefs",
"info ta0011",
"protocol",
"layer protocol",
"port",
"t1571 encrypted",
"channel",
"t1573 malware",
"tree",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"resolved ips",
"user",
"data",
"datacrashpad",
"edge",
"v full",
"reports v",
"chrome u",
"appdata local",
"googlechrome u",
"u ser",
"cname",
"ip address",
"http",
"accept",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"extraction",
"suggested iocs",
"data upload",
"cry dee",
"stop",
"type",
"url indicator",
"enter",
"failed",
"se share",
"extrac",
"enter so",
"passive dns",
"urls",
"hostname add",
"pulse pulses",
"files",
"domain",
"files ip",
"address",
"location united",
"asn as20473",
"dynamicloader",
"directui",
"write c",
"intel",
"ms windows",
"pe32",
"element",
"delete c",
"document file",
"v2 document",
"explorer",
"trojandropper",
"write",
"markus",
"august",
"movie",
"insert",
"pulse submit",
"url analysis",
"asn as8068",
"united",
"entries",
"body",
"please",
"x msedge",
"ipv4 add",
"present sep",
"present oct",
"present feb",
"status",
"unknown ns",
"search",
"name servers",
"present jul",
"aaaa",
"present apr",
"trojan",
"medium",
"high",
"yara rule",
"globalc",
"june",
"malware",
"win64",
"unknown",
"america flag",
"twitter",
"hostname",
"domain add",
"reverse dns",
"america asn",
"present aug",
"a domains",
"moved",
"first pqc",
"unknown aaaa",
"title",
"meta",
"window",
"encrypt",
"pulse indicator",
"body doctype",
"welcome",
"ok server",
"gmt content",
"atlanta",
"abuse",
"agent",
"service",
"present jun",
"present may",
"creation date",
"record value",
"servers",
"libretv meta",
"certificate",
"value",
"whois lookup",
"loopia ab",
"userlolxxl"
],
"references": [
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
},
{
"id": "Foundry",
"display_name": "Foundry",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb",
"display_name": "Trojan:Win32/Comisproc!gmb",
"target": "/malware/Trojan:Win32/Comisproc!gmb"
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "#Exploit:Win32/CVE- 2023 - 23397",
"display_name": "#Exploit:Win32/CVE- 2023 - 23397",
"target": "/malware/#Exploit:Win32/CVE- 2023 - 23397"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "ALF:PulZati:Worm:Win32/Mydoom",
"display_name": "ALF:PulZati:Worm:Win32/Mydoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 8,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 248,
"FileHash-SHA1": 134,
"FileHash-SHA256": 2661,
"URL": 6257,
"domain": 682,
"email": 8,
"hostname": 2077,
"CVE": 1
},
"indicator_count": 12068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "187 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68fd0cc422cea2fd989581fd",
"name": "LevelBlue - Open Threat Exchange (Malicious Attacks)",
"description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.",
"modified": "2025-11-24T17:02:12.441000",
"created": "2025-10-25T17:45:40.291000",
"tags": [
"ipv4",
"levelblue",
"open threat",
"date sat",
"connection",
"etag w",
"cloudfront",
"sameorigin age",
"vary",
"ip address",
"kb body",
"gtmkvjvztk",
"utc gcfezl5ynvb",
"utc na",
"utc google",
"analytics na",
"utc linkedin",
"insight tag",
"learn",
"exchange og",
"levelblue open",
"threat exchange",
"exchange",
"google tag",
"iocs",
"search otx",
"included iocs",
"review iocs",
"data upload",
"extraction",
"layer protocol",
"v full",
"reports v",
"port t1571",
"t1573",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"user",
"data",
"datacrashpad",
"edge",
"tag manager",
"us er",
"help files",
"shell",
"html",
"cve202323397",
"iframe tags",
"community score",
"url http",
"url https",
"united",
"united kingdom",
"netherlands",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"indicator role",
"title added",
"active related",
"otc oct",
"report spam",
"week ago",
"scan",
"learn more",
"filehashmd5",
"filehashsha1",
"domain",
"australia",
"does",
"josh",
"created",
"filehashsha256",
"present jul",
"present oct",
"date",
"a domains",
"script urls",
"for privacy",
"moved",
"script domains",
"meta",
"title",
"body",
"pragma",
"encrypt",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1027",
"files",
"information",
"t1055",
"injection",
"capture",
"south korea",
"malaysia",
"pulses",
"fatal error",
"hacker known",
"name",
"unknown",
"risk",
"weeks ago",
"scary",
"sova",
"colorado",
"wire",
"name unknown",
"thursday",
"denver",
"types of",
"indicators hong",
"kong",
"tsara brashears",
"african",
"ethiopia",
"b8reactjs",
"india",
"america",
"x ua",
"hostname",
"dicator role",
"pulses url",
"airplane",
"icator role",
"t1432",
"access contact",
"list",
"t1525",
"image",
"security scan",
"heuristic oct",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1114",
"t1480",
"internal image",
"brian sabey",
"month ago",
"modified",
"days ago",
"green well",
"sabey stash",
"service",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Sova",
"display_name": "Sova",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 956,
"FileHash-SHA1": 906,
"FileHash-SHA256": 2651,
"URL": 4450,
"domain": 708,
"hostname": 2403,
"CVE": 1,
"email": 5
},
"indicator_count": 12080,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68dff573cf17000ebca4e63f",
"name": "The University of British Columbia",
"description": "https://www.virustotal.com/gui/domain/ubc.ca\nhttps://www.virustotal.com/gui/file/2849292fde24ca7833a3fcde7852e6e76df178ea271e271d2d2b551c10033a09/details",
"modified": "2025-11-02T15:02:38.292000",
"created": "2025-10-03T16:10:27.760000",
"tags": [
"university",
"research",
"strong",
"ubc search",
"teaching",
"okanagan",
"bc canada",
"contact",
"skip",
"search ubc",
"find",
"back",
"user",
"cape sandbox",
"medium",
"http",
"matches rule",
"tls sni",
"memory pattern",
"size",
"date",
"info",
"shell",
"vhash",
"ssdeep",
"jjwad5 tlsh"
],
"references": [
"Contact Information | The University of British Columbia",
"spph.ca",
"www.ubc.ca",
"ubc.ca",
"CA-2020-01-12 05-18-26088DE56F-E544B574-D3166097-17FA11BC-45321A6D-v33.zip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 29,
"FileHash-SHA256": 742,
"FileHash-MD5": 89,
"FileHash-SHA1": 42,
"URL": 243,
"hostname": 98
},
"indicator_count": 1243,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 125,
"modified_text": "210 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68dc624893ea922b898f911b",
"name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device",
"description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!",
"modified": "2025-10-30T22:01:00.256000",
"created": "2025-09-30T23:05:44.154000",
"tags": [
"search",
"google search",
"in a",
"relevance",
"internet storm",
"intranet",
"part",
"steps",
"hyper v",
"windowssystem32",
"ping request",
"algorithm",
"ouno sni",
"key usage",
"google llc",
"v3 serial",
"number",
"public key",
"info",
"key algorithm",
"domain",
"subject key",
"identifier",
"net173",
"net1730000",
"gogl",
"orgid",
"gogl address",
"city",
"mountain view",
"stateprov",
"postalcode",
"registrar",
"ip address",
"http",
"port",
"accept",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"found",
"united",
"ascii text",
"pattern match",
"mitre att",
"title",
"hybrid",
"general",
"path",
"click",
"strings",
"body",
"initial access",
"local",
"passive dns",
"urls",
"url add",
"related nids",
"files location",
"flag united",
"backdoor",
"status",
"aaaa",
"date",
"name servers",
"record value",
"emails",
"present aug",
"present sep",
"moved",
"error",
"antivm",
"drive by",
"cab by"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 544,
"FileHash-SHA256": 2300,
"URL": 3905,
"hostname": 1675,
"FileHash-MD5": 209,
"FileHash-SHA1": 210,
"CIDR": 1,
"email": 7,
"SSLCertFingerprint": 8,
"CVE": 2
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "212 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68cb233ba91aa1eb958b3f31",
"name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder",
"description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
"modified": "2025-10-17T19:03:15.031000",
"created": "2025-09-17T21:08:11.518000",
"tags": [
"script urls",
"meta",
"moved",
"x tec",
"passive dns",
"encrypt",
"america flag",
"san francisco",
"extraction",
"data upload",
"type indicatod",
"united states",
"a domains",
"united",
"gmt server",
"jose",
"university",
"bill",
"rmhs",
"information",
"board",
"lorin",
"joseph",
"all veterans",
"rocky mountain",
"mission",
"vice",
"april",
"school",
"austin",
"prior",
"ipv4 add",
"urls",
"files",
"location united",
"wordpress",
"rmhs meta",
"tags viewport",
"rmhs og",
"rmhs article",
"wpbakery page",
"builder",
"slider plugin",
"google tag",
"mountain human",
"denver",
"connecting",
"denver start",
"relevance home",
"providers",
"contact us",
"rmhs main",
"server",
"redacted tech",
"redacted admin",
"registrar abuse",
"algorithm",
"key identifier",
"x509v3 subject",
"dnssec",
"country",
"ttl value",
"graph summary",
"resolved ips",
"ip address",
"port",
"data",
"screenshots no",
"involved direct",
"country name",
"name response",
"tcp connections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"found",
"spawns",
"t1590 gather",
"path",
"ascii text",
"exif standard",
"tiff image",
"format",
"stop",
"false",
"soldier",
"model",
"youth",
"baby",
"june",
"general",
"local",
"click",
"strings",
"core",
"warrior",
"green",
"emotion",
"flash",
"nina",
"hunk",
"fono",
"daam",
"mitre att",
"ck techniques",
"id name",
"malicious",
"windows nt",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"show process",
"self",
"date",
"comspec",
"hybrid",
"form",
"log id",
"gmtn",
"tls web",
"b2 f6",
"b0n timestamp",
"f9401a",
"record value",
"x wix",
"certificate",
"domain add",
"pulse submit",
"body",
"domain related",
"blackbox",
"apple",
"helix",
"dvrdns",
"tracking",
"remote access",
"ios",
"spyware",
"hoax",
"dynamicloader",
"ptls6",
"medium",
"flashpix",
"high",
"ygjpavclsline",
"officespace",
"chartshared",
"powershell",
"write",
"malware",
"ygjpaulscontext",
"status",
"japan unknown",
"domain",
"pulses",
"search",
"accept",
"apt10",
"trojanspy",
"win32",
"entries",
"susp",
"backdoor",
"useragent",
"showing",
"virtool",
"twitter",
"mozilla",
"trojandropper",
"trojan",
"title",
"onelouder",
"yara det",
"maware samoe",
"genaco x",
"ids detec",
"ids terse",
"win3 data",
"include review",
"exclude sugges",
"targeting",
"show",
"copy",
"reads",
"dynamic",
"vendor finding",
"notes clamav",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"next yara"
],
"references": [
"rmhumanservices.org",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
"ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
"http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
"https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
"https://www.mlkfoundation.net/ (Foundry DGA)",
"remotewd.com x 34 devices",
"South Africa based: remote.advisoroffice.com",
"acc.lehigtapp.com - malware",
"http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )",
"Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022",
"Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
"https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
"YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
"IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
"IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
"IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
"1.organization.api.powerplatform.partner.microsoftonline.cn",
"chinaeast2.admin.api.powerautomate.cn",
"https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
"https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
"ssa-gov.authorizeddns",
"hmmm\u2026http://palander.stjernstrom.se/",
"https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
],
"public": 1,
"adversary": "APT 10",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APT 10",
"display_name": "APT 10",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "Andromeda",
"display_name": "Andromeda",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
},
{
"id": "KoobFace",
"display_name": "KoobFace",
"target": null
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "Nivdort Checkin",
"display_name": "Nivdort Checkin",
"target": null
},
{
"id": "Win.Malware.Installcore-6950365-0",
"display_name": "Win.Malware.Installcore-6950365-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1574.006",
"name": "Dynamic Linker Hijacking",
"display_name": "T1574.006 - Dynamic Linker Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Golfing",
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 690,
"hostname": 1912,
"URL": 5925,
"FileHash-SHA1": 273,
"email": 8,
"FileHash-SHA256": 3618,
"CIDR": 3,
"FileHash-MD5": 254,
"SSLCertFingerprint": 19,
"CVE": 2
},
"indicator_count": 12704,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68eff833ed84ceaf611521d2",
"name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ",
"description": "",
"modified": "2025-10-15T19:38:27.739000",
"created": "2025-10-15T19:38:27.739000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": "68c73fbd85dfbb4d41006ad1",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "228 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68c73fbd85dfbb4d41006ad1",
"name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap",
"description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.",
"modified": "2025-10-14T22:26:18.109000",
"created": "2025-09-14T22:20:45.617000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "228 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68bc597c34358af14891a484",
"name": "A State: Government Financial Department affected by malware and threat actors",
"description": "A State Governmental Financial Department contacted. Lightly researched link below.\nFinal URL: https://www.palantir.com/blocked/?blocker=Envoy&ip=35.243.23.172&vpcEndpoint=&errorInstanceId=b8ae0a73-8c2d-4d81-a6ea-ee53943e9485&targetDomain=millet-usgc-1.palantirfedstart. | 403 Code - contacted |",
"modified": "2025-10-06T15:03:41.536000",
"created": "2025-09-06T15:55:40.069000",
"tags": [
"status",
"united",
"unknown ns",
"search",
"certificate",
"passive dns",
"urls",
"record value",
"emails",
"date",
"title",
"present jul",
"script urls",
"security",
"a domains",
"script domains",
"read",
"meta",
"443 ma86400",
"next associated",
"files show",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"gmt server",
"extraction f",
"enter so",
"type",
"u extraction",
"data upload",
"extraction",
"orbrop",
"present aug",
"present jun",
"present oct",
"entries",
"present apr",
"present nov",
"gtmpsl84dj",
"resolved ips",
"c0002 wininet",
"data",
"datacrashpad",
"edge",
"url data",
"accept",
"gmt ifnonematch",
"address port",
"cname",
"response",
"nxdomain",
"name n",
"creation date",
"domain add",
"pulse pulses",
"files",
"ip address",
"location united",
"asn as13335",
"whois registrar"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1785,
"domain": 710,
"hostname": 949,
"FileHash-SHA256": 864,
"email": 4,
"CVE": 3,
"FileHash-MD5": 27,
"FileHash-SHA1": 27
},
"indicator_count": 4369,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "237 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68bbf3e40e3ce8a74aa89545",
"name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang",
"description": "",
"modified": "2025-10-06T08:03:23.285000",
"created": "2025-09-06T08:42:12.787000",
"tags": [
"present feb",
"united",
"a domains",
"present dec",
"passive dns",
"moved",
"script domains",
"script urls",
"search",
"title",
"date",
"http traffic",
"http get",
"match info",
"downloads",
"info",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"get http",
"dns resolutions",
"number",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"corporation cus",
"algorithm",
"cnamazon rsa",
"m03 oamazon",
"thumbprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"ascii text",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"dock",
"write",
"capture",
"persistence",
"malware",
"roboto",
"android",
"known exploited",
"google",
"salesloft drift",
"sap s4hana",
"cve202542957",
"cisa",
"sitecore",
"linux",
"france",
"meta",
"rokrat",
"lizar",
"project nemesis",
"carbanak",
"cobalt strike",
"domino",
"yara detections",
"contacted",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"malicious ids",
"detections tls",
"indicator role",
"title added",
"active related",
"entries",
"role title",
"added active",
"filehashmd5",
"ipv4"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lizar",
"display_name": "Lizar",
"target": null
},
{
"id": "Project Nemesis",
"display_name": "Project Nemesis",
"target": null
},
{
"id": "Carbanak",
"display_name": "Carbanak",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Domino",
"display_name": "Domino",
"target": null
},
{
"id": "RokRAT",
"display_name": "RokRAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [
"Hospitality",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 539,
"FileHash-SHA1": 389,
"FileHash-SHA256": 3386,
"domain": 862,
"hostname": 1155,
"URL": 4091,
"CVE": 3,
"SSLCertFingerprint": 5
},
"indicator_count": 10430,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "237 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68bbdb22e3d606ae8fb5cda8",
"name": "HCPF | Department of Health Care Policy and Financing",
"description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir",
"modified": "2025-10-06T05:01:18.794000",
"created": "2025-09-06T06:56:34.649000",
"tags": [
"federal changes",
"health first",
"colorado",
"child health",
"plan plus",
"newimpact",
"medicaidour",
"impact",
"medicaid page",
"medicaid",
"beware",
"text/html",
"trackers",
"iframes",
"external-resources",
"new relic",
"g1gv3h3sxc0",
"utc gcw970gh4gg",
"android",
"known exploited",
"google",
"salesloft drift",
"sap s4hana",
"cve202542957",
"cisa",
"sitecore",
"linux",
"france",
"meta",
"rokrat",
"lizar",
"project nemesis",
"carbanak",
"cobalt strike",
"domino",
"no expiration",
"url https",
"type indicator",
"role title",
"related pulses",
"hostname https",
"m4e5930",
"hostname",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"ascii text",
"search",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"dock",
"write",
"capture",
"persistence",
"malware",
"roboto",
"present feb",
"united",
"a domains",
"present dec",
"passive dns",
"moved",
"script domains",
"script urls",
"urls",
"title",
"date",
"resolved ips",
"http traffic",
"http get",
"match info",
"downloads",
"info",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"endgame systems"
],
"references": [
"Researched: https://hcpf.colorado.gov/",
"www.onyx-ware.com \u2022 https://www.endgamesystems.com/",
"millet-usgc-1.palantirfedstart.com",
"https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html",
"https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms",
"https://passwords.google/?utm_medium=hpp&utm",
"https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html",
"Researched publicly available information provided by representative of a target\u2019s estate",
"System has placed affected on multiple policies cancelling private policy without notice.",
"Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)",
"Provided documented evidence of appealed state issued plan and disclosed financials.",
"Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes",
"I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.",
"State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.",
"Target also owned an online brokerage & lead company, was agent & insurance marketer for years.",
"September began with false information, defaulted claims , denials from authorized services rendered years prior.",
"If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lizar",
"display_name": "Lizar",
"target": null
},
{
"id": "Project Nemesis",
"display_name": "Project Nemesis",
"target": null
},
{
"id": "Carbanak",
"display_name": "Carbanak",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Domino",
"display_name": "Domino",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [
"Hospitality",
"Financial",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1395,
"URL": 4304,
"CVE": 1,
"domain": 694,
"FileHash-SHA256": 1790,
"FileHash-MD5": 183,
"FileHash-SHA1": 103,
"SSLCertFingerprint": 5
},
"indicator_count": 8475,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "237 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68aff672de7f1b65a97c00b1",
"name": "WarzoneRAT impacts Social Media of users with compromised systems",
"description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn",
"modified": "2025-09-27T05:00:09.125000",
"created": "2025-08-28T06:25:54.794000",
"tags": [
"d10927",
"mp41",
"mp41 connection",
"r connection",
"ip address",
"dynamicloader",
"write c",
"globalc",
"medium",
"high",
"write",
"dll read",
"trojan",
"delphi",
"win32",
"dialer",
"tracking",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"t1590 gather",
"mitre att",
"ck matrix",
"null",
"click",
"title",
"span",
"meta",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"virgin islands",
"united",
"unknown ns",
"a domains",
"montserrat",
"passive dns",
"ipv4",
"urls",
"files",
"hosting",
"trojandropper",
"location virgin",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"item",
"has description",
"unknown",
"explorer",
"error",
"powershell",
"yara rule",
"windows",
"t1055",
"warzonerat",
"avemaria",
"virtool",
"netwire",
"malware",
"hostile",
"autoit",
"defender",
"date",
"bq aug",
"next associated",
"ipv4 add",
"resolved ips",
"get http",
"request",
"win64",
"khtml",
"gecko",
"resolutions",
"number",
"ja3s",
"algorithm",
"cnr12 cus",
"cname",
"accept",
"port",
"gmt ifnonematch",
"screenshots no",
"involved dns",
"name response",
"nxdomain",
"tcp connections",
"involved direct",
"country name",
"moved",
"alone email",
"body doctype",
"gmt server",
"content type",
"service privacy",
"cve"
],
"references": [
"http://remote.edikamin.com/",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"http://deposito.hostance.net/dialer/",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"simswap.in (possible Mirai or relationship to)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Trojan:Win32/Diamin.F",
"display_name": "Trojan:Win32/Diamin.F",
"target": "/malware/Trojan:Win32/Diamin.F"
},
{
"id": "Dialer",
"display_name": "Dialer",
"target": null
},
{
"id": "Win32:CabMod\\ [Drp]",
"display_name": "Win32:CabMod\\ [Drp]",
"target": null
},
{
"id": "TrojanDropper:Win32/Hupigon.gen!A",
"display_name": "TrojanDropper:Win32/Hupigon.gen!A",
"target": "/malware/TrojanDropper:Win32/Hupigon.gen!A"
},
{
"id": "ALF:HeraklezEval:PUA:Win32/Keygen",
"display_name": "ALF:HeraklezEval:PUA:Win32/Keygen",
"target": null
},
{
"id": "Trojan:Win32/Startpage.AEA",
"display_name": "Trojan:Win32/Startpage.AEA",
"target": "/malware/Trojan:Win32/Startpage.AEA"
},
{
"id": "Banload",
"display_name": "Banload",
"target": null
},
{
"id": "TrojanDownloader:Win32/Banload.D",
"display_name": "TrojanDownloader:Win32/Banload.D",
"target": "/malware/TrojanDownloader:Win32/Banload.D"
},
{
"id": "Win32:Evo-gen",
"display_name": "Win32:Evo-gen",
"target": null
},
{
"id": "!#AddsCopy-ToStartup",
"display_name": "!#AddsCopy-ToStartup",
"target": null
},
{
"id": "VirTool:Win32/AutInject.CZ!bit",
"display_name": "VirTool:Win32/AutInject.CZ!bit",
"target": "/malware/VirTool:Win32/AutInject.CZ!bit"
},
{
"id": "Win.Trojan.Agent-316098",
"display_name": "Win.Trojan.Agent-316098",
"target": null
},
{
"id": "virtool:Win32/Injector.gen!BQ",
"display_name": "virtool:Win32/Injector.gen!BQ",
"target": "/malware/virtool:Win32/Injector.gen!BQ"
},
{
"id": "WarzoneRAT - S0670",
"display_name": "WarzoneRAT - S0670",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4194,
"hostname": 1563,
"FileHash-SHA256": 2494,
"domain": 624,
"FileHash-MD5": 274,
"FileHash-SHA1": 226,
"email": 1,
"CVE": 1
},
"indicator_count": 9377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "246 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f3e394bcf868816a29c2dc",
"name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton",
"description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.",
"modified": "2024-11-02T15:05:54.240000",
"created": "2024-03-15T05:58:44.839000",
"tags": [
"ISP",
"Google",
"Telus",
"Norton",
"Pixel"
],
"references": [
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
"https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark",
"https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark",
"https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark",
"https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark",
"https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
"",
"https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details",
"https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network",
"http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada",
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Telecommunications",
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1231,
"FileHash-SHA1": 1215,
"FileHash-SHA256": 99653,
"URL": 158638,
"domain": 49468,
"hostname": 77233,
"email": 6,
"CIDR": 5450,
"CVE": 55
},
"indicator_count": 392949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "575 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66eb1585832bcf4f494f0335",
"name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging",
"description": "",
"modified": "2024-10-20T13:04:44.866000",
"created": "2024-09-18T18:01:41.013000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66ca37ac60cb425a2b3856c6",
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4635,
"domain": 771,
"email": 11,
"hostname": 1993,
"FileHash-SHA256": 3185,
"FileHash-MD5": 113,
"FileHash-SHA1": 101,
"CVE": 3
},
"indicator_count": 10814,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 236,
"modified_text": "588 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66e47020bdbbc384d102d169",
"name": "AWS Botnet *2nd L\u2070\u2070K \u00bb Quantum Fiber | Brute Forcer",
"description": "I researched link again. Stealthy hackers surrounding a targets whereabouts in Denver Metro/Denver Proper (Co) and surrounding areas. Unsafe targeting activity escalates.\n\n*Tip { PDF:UrlMal-inf\\ [Trj] - https://www.quantumfiber.com/moving.html?utm_source=Digital&utm_medium=DV360_YouTube&utm_campaign=QuantumFiber_Residential_Prospecting&utm_content=Movers-RES-QF-Movers-ACH-OLV30-50-YouTube-NA&gclid=CjwKCAjwooq3BhB3Eiw } Malware Families:\nWin.Dropper.LokiBot-9975730-0\n#LowFiEnableDTContinueAfterUnpacking\n#LowFiMalf_gen\nALF:PUA:Block:IObit\nALF:Program:Win32/Webcompanion\nALF:Ransom:Win32/Babax\nALF:Trojan:Win32/FormBook\nAWS\nPDF:UrlMal-inf\\ [Trj]\nTrojan:Win32/Qbot\nTrojanDownloader:Win32/Upatre\nUnix\nUnix.Malware.Generic-9875933-0\nVirTool:Win32/Injector\nVirTool:Win32/Obfuscator\nWin.Dropper.LokiBot-9975730-0\nWin.Keylogger.Banbra-9936388-0\nWorm:Win32/Mofksys",
"modified": "2024-10-13T13:01:27.179000",
"created": "2024-09-13T17:02:24.806000",
"tags": [
"namecheap",
"server",
"registrar abuse",
"code",
"dnssec",
"email",
"contact phone",
"registrar iana",
"registrar url",
"registrar whois",
"date",
"vhash",
"authentihash",
"imphash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"trid upx",
"win16 ne",
"generic",
"packer",
"info sections",
"name virtual",
"address virtual",
"size raw",
"size entropy",
"md5 chi2",
"upx0",
"1 upx1",
"upx2",
"sysinternals",
"zenbox",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"dynamic",
"utc na",
"utc facebook",
"html info",
"meta tags",
"commerce cloud",
"trackers google",
"tag manager",
"gtmkj5bfwx",
"utc gtmp4hkt96",
"utc gtm5z5w687v",
"sample",
"t1497",
"sandbox evasion",
"may sleep",
"downloads",
"http performs",
"mitre att",
"evasion ta0005",
"upx software",
"t1036 creates",
"get http",
"post http",
"number",
"ja3s",
"algorithm",
"subject",
"data",
"server ca",
"odigicert inc",
"cus lsan",
"calls",
"text",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"url https",
"http",
"ip address",
"related nids",
"files location",
"as8068",
"united",
"unknown",
"ref b",
"wed may",
"entries",
"mtb dec",
"body",
"please",
"twitter",
"malware",
"trojan",
"trojan features",
"related pulses",
"file samples",
"files matching",
"show",
"search",
"date hash",
"next",
"showing",
"worm",
"win32",
"alf features",
"aaaa",
"cname",
"united kingdom",
"creation date",
"certificate",
"tlsv1",
"oglobalsign",
"stzhejiang",
"lhangzhou",
"oalibaba",
"china",
"encrypt",
"copy",
"write",
"august",
"local",
"xport",
"regsetvalueexa",
"regdword",
"regbinary",
"medium",
"high",
"regsetvalueexw",
"regsz",
"langchinese",
"delphi",
"persistence",
"execution",
"read c",
"create c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"write c",
"delete c",
"mozilla",
"as62597 nsone",
"domain",
"as20940",
"as8075",
"virtool",
"whitelisted ip",
"location united",
"asn as8068",
"registrar",
"markmonitor",
"tags",
"related tags",
"threat roundup",
"october",
"historical ssl",
"referrer",
"round",
"december",
"november",
"guloader",
"files",
"detections file",
"name file",
"file size",
"name",
"html",
"cab null",
"ubuntu",
"linux x8664",
"contentlength",
"gobrut",
"malware c",
"c request",
"config",
"meta",
"photolan",
"moved",
"a domains",
"as47748 daticum",
"meta http",
"content",
"gmt server",
"ipv4",
"pragma",
"apache",
"sales",
"expiration date",
"name servers",
"asnone bulgaria",
"ns nxdomain",
"nxdomain",
"soa nxdomain",
"cape",
"gobrut malware",
"suricata",
"et malware",
"bruter cnc",
"checkin",
"activity",
"malware config",
"yara detections",
"contacted",
"a li",
"li ul",
"div div",
"set cookie",
"as29873",
"link",
"hong kong",
"as45102 alibaba",
"div li",
"gmt max",
"age2592000 path",
"log id",
"gmtn",
"tls web",
"ca issuers",
"timestamp",
"b715",
"b59bn timestamp",
"false",
"as2914 ntt",
"record value",
"data redacted",
"as4230 claro",
"invalid url",
"research group",
"as13768 aptum",
"canada unknown",
"canada",
"hostpapa",
"hosting",
"click",
"rdds service",
"record",
"registrant",
"admin",
"tech contact",
"script domains",
"as3257 gtt",
"asnone canada",
"access denied",
"servers",
"emails",
"as397241",
"as31898 oracle",
"as397240",
"overview ip",
"flag united",
"hostname",
"files domain",
"as15169 google",
"as396982 google",
"as16625 akamai",
"as35994 akamai",
"france",
"discovery",
"t1010",
"t1012",
"t1027",
"information",
"t1055",
"injection",
"t1057",
"t1059",
"ssh attacker",
"mitm",
"aitm",
"tracker",
"botnet",
"binary",
"ghostscript",
"brendan coates",
"daley",
"trent wiltshire",
"aws botnet",
"filehashsha256",
"filehashsha1",
"filehashmd5",
"https",
"salitiy",
"unix malware",
"created",
"url http",
"unix",
"aws",
"role title",
"added active",
"report spam",
"quantumfiber",
"denver co",
"critical",
"default",
"traditional",
"compiler",
"intel",
"ms windows",
"ssdeep",
"rich pe",
"imphash",
"utc gtm5z5w687v",
"utc gtmp4hkt96",
"pecompact",
"packer",
"ids",
"commerce cloud",
"meta tags",
"gmt etag",
"accept encoding",
"accept",
"status",
"west domains",
"path",
"author avatar",
"active file",
"denver",
"vt graph",
"currently",
"im unaware",
"pnpd5d",
"susp",
"filehash",
"av detections",
"pecompact",
"february",
"asnone germany",
"as21499 host",
"singapore",
"germany",
"object",
"alerts",
"icmp traffic",
"createdate",
"microsoft color",
"msft",
"format",
"as44273 host",
"content type",
"kodak easyshare",
"easyshare",
"eastman kodak",
"kodak",
"kukacka",
"virus",
"rsdsr7siwwd d",
"install",
"service",
"explorer",
"windows",
"name type",
"md5 process",
"sqlite",
"sqlite version",
"active",
"pre crime",
"cyber attack",
"hackers",
"quantum fiber",
"quantumfiber.com",
"target tsara brashears",
"tech id",
"hallrender",
"brian sabey",
"hijack",
"spotify artists",
"idlinea8 sep",
"xo544",
"xa10629",
"sitegg",
"fcolorffffff",
"net1",
"inhibit system",
"oracle",
"level 3"
],
"references": [
"QuantumFiber.com a 2nd look",
"Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]",
"13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion",
"IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.",
"IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.",
"Win.Dropper.LokiBot-9975730-0",
"Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9",
"IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread",
"Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a",
"Yara Detections: Delphi",
"IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity",
"IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)",
"Query to a *.top domain - Likely Hostile Query for .cc TLD",
"Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad",
"Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction",
"Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config",
"Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat",
"Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Unix.Malware.Generic:",
"Unix.Malware.Generic:",
"networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt",
"wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com",
"Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys",
"Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0",
"Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0",
"Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win.Keylogger.Banbra-9936388-0",
"display_name": "Win.Keylogger.Banbra-9936388-0",
"target": null
},
{
"id": "#LowFiMalf_gen",
"display_name": "#LowFiMalf_gen",
"target": null
},
{
"id": "Trojan:Win32/Qbot",
"display_name": "Trojan:Win32/Qbot",
"target": "/malware/Trojan:Win32/Qbot"
},
{
"id": "ALF:Ransom:Win32/Babax",
"display_name": "ALF:Ransom:Win32/Babax",
"target": null
},
{
"id": "Worm:Win32/Mofksys",
"display_name": "Worm:Win32/Mofksys",
"target": "/malware/Worm:Win32/Mofksys"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "ALF:PUA:Block:IObit",
"display_name": "ALF:PUA:Block:IObit",
"target": null
},
{
"id": "Win.Dropper.LokiBot-9975730-0",
"display_name": "Win.Dropper.LokiBot-9975730-0",
"target": null
},
{
"id": "Win.Dropper.LokiBot-9975730-0",
"display_name": "Win.Dropper.LokiBot-9975730-0",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Unix.Malware.Generic-9875933-0",
"display_name": "Unix.Malware.Generic-9875933-0",
"target": null
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Unix",
"display_name": "Unix",
"target": null
},
{
"id": "AWS",
"display_name": "AWS",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "PDF:UrlMal-inf\\ [Trj]",
"display_name": "PDF:UrlMal-inf\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1490",
"name": "Inhibit System Recovery",
"display_name": "T1490 - Inhibit System Recovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1510",
"name": "Clipboard Modification",
"display_name": "T1510 - Clipboard Modification"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1644,
"FileHash-SHA1": 1614,
"FileHash-SHA256": 2742,
"URL": 2708,
"domain": 2150,
"hostname": 2508,
"email": 21,
"SSLCertFingerprint": 33,
"CVE": 2
},
"indicator_count": 13422,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "595 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66d4b052225d396d18e395c3",
"name": " Telco - SWIPPER | Emotet and other malware spreader. BGP Hurricane Electric ",
"description": "",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-09-01T18:20:02.256000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66ca37ac60cb425a2b3856c6",
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "618 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66ca37ac60cb425a2b3856c6",
"name": "Telco - Swipper | Emotet and other malware spreader. BGP Hurricane Electric related ",
"description": "",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-08-24T19:42:36.642000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66c66114103f15aab3b00d6c",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "618 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66c66114103f15aab3b00d6c",
"name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?",
"description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-08-21T21:50:12.543000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "618 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66c661131c5003925e9bfe15",
"name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?",
"description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-08-21T21:50:11.612000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "618 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6683aae863ba601bac1a28b5",
"name": "Zombie.A \u2022 Bayrob in fake malware information website.",
"description": "Incredibly malicious IoC's found in a legitimate appearing website with informative information. Prominently appears at top of targets search results. \n https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png\nMultiple government domains behind website. Honeypot?",
"modified": "2024-08-01T06:03:26.298000",
"created": "2024-07-02T07:23:20.582000",
"tags": [
"ukraine",
"referrer",
"deploys fake",
"uue files",
"fsociety",
"target colombia",
"judiciary",
"financial",
"public",
"tools",
"sector",
"mexico",
"aka xloader",
"html",
"html info",
"title",
"meta tags",
"google tag",
"utc gnr5gzhd545",
"utc na",
"utc aw944900006",
"utc linkedin",
"formbook",
"accept",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"apache",
"so funny",
"click",
"urls",
"passive dns",
"http",
"unique",
"scan endpoints",
"all octoseek",
"url http",
"ip address",
"related nids",
"code",
"united",
"as54113",
"unknown",
"aaaa",
"as15169 google",
"as46691",
"status",
"cname",
"search",
"whitelisted",
"body",
"date",
"msil",
"meta",
"third-party-cookies",
"iframes",
"external-resources",
"text/html",
"trackers",
"end game",
"name servers",
"select contact",
"domain holder",
"nexus category",
"creation date",
"showing",
"date hash",
"avast avg",
"trojan",
"mtb may",
"dynamicloader",
"high",
"medium",
"yara detections",
"sniffs",
"attempts",
"alternate data",
"stream",
"a foreign",
"cultureneutral",
"get na",
"show",
"delete c",
"entries",
"cape",
"delete",
"default",
"copy",
"nivdort",
"write",
"trojanspy",
"bayrob",
"malware",
"eagle eyed",
"nonads",
"path max",
"age86400 set",
"cookie",
"script urls",
"type",
"script script",
"win32 exe",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"exe32",
"compiler",
"vs98",
"contained",
"simplified",
"info compiler",
"products",
"sp6 build",
"header intel",
"name md5",
"language",
"not found",
"rules not",
"mitre",
"info ids",
"found sigma",
"found",
"files not",
"found network",
"getlasterror",
"icons library",
"os2 executable",
"files",
"file type",
"kb file",
"name",
"type name",
"ip detections",
"country",
"gandi sas",
"dynadot",
"enom",
"namecheap",
"dynadot inc",
"namecheap inc",
"dynadot llc",
"domains",
"tucows domains",
"melbourne it",
"historical ssl",
"realteck audio",
"problems",
"lemon duck",
"iocs",
"sneaky server",
"replacement",
"unauthorized",
"windows",
"windir",
"samplepath",
"user",
"process",
"created",
"shell commands",
"windefend",
"created bus",
"tree",
"registry keys",
"reports upgrade",
"keys set",
"upgradestart",
"dword",
"data registry",
"keys deleted",
"reports",
"get http",
"request",
"http requests",
"ip traffic",
"dns resolutions",
"resolutions",
"mitre att",
"defense evasion",
"ta0007 command",
"control ta0011",
"impact ta0034",
"impact ta0040",
"graph",
"bundled files",
"name file",
"contacted ip",
"users",
"number",
"ascii text",
"crlf line",
"database",
"english",
"tue jun",
"installer",
"template",
"tulach",
"rexxfield",
"milesit",
"cp",
"self deleting",
"stuff",
"copying",
"packages found",
"targeting major",
"injects ads",
"into search",
"results",
"overlay",
"text",
"win32 dll",
"javascript",
"db2maestro",
"open ports",
"ipv4",
"pulse submit",
"url analysis",
"expiration date",
"hostname",
"next",
"ten process",
"utc facebook",
"utc google",
"title ten",
"blog meta",
"tags",
"elastic blog",
"bing ads",
"as8068",
"certificate",
"otx telemetry",
"ref b",
"record value",
"emails",
"please",
"win32",
"x msedge",
"pulse pulses",
"no data",
"tag count",
"analyzer threat",
"url summary",
"ip summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"alexa top",
"safe site",
"mail spammer",
"million",
"malware site",
"phishing site",
"malicious site",
"bank",
"fuery",
"unsafe",
"malicious",
"alexa",
"zbot",
"asn as16625",
"akamai",
"less",
"is2osecurity",
"domain name",
"active",
"as21342",
"domain",
"location israel",
"asn as1680",
"invalid url",
"body html",
"head title",
"title head",
"body h1",
"reference",
"log id",
"gmtn",
"digicert tls",
"rsa sha256",
"tls web",
"full name",
"digicert inc",
"organization",
"district",
"columbia",
"false",
"as20940",
"as16625 akamai",
"as8987 amazon",
"moved",
"as1680 cellcom",
"alerts",
"related pulses",
"guard",
"dynamic",
"reads",
"https link",
"as8075",
"record type",
"ttl value",
"redacted for",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"server",
"email",
"office open",
"ms word",
"document",
"xml document",
"xml spreadsheet",
"email trash",
"rich text",
"pdf tripwire",
"fall",
"whois lookups",
"contact email",
"blind eagle",
"brian sabey"
],
"references": [
"https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png",
"https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc",
"Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
"Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77",
"Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320",
"Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect",
"Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile",
"IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden",
"Alerts: cape_detected_threat cape_extracted_content",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
"TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c",
"Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
"Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
"Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120",
"Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net",
"Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net",
"https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
"trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758",
"Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019",
"Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038",
"Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis",
"Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001",
"Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022",
"Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001",
"Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052",
"Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003",
"Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus",
"Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
"Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
"Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP",
"http://Object.prototype.hasOwnProperty.call",
"Tulach! It's been a minute - 114.114.114.114",
"What's going on here judiciary? Karen - cisa.gov? e.final",
"f.search schema.org t.final",
"ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov",
"[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
"[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
"[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml",
"Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window",
"https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net",
"Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV"
],
"public": 1,
"adversary": "Blind Eagle",
"targeted_countries": [
"United States of America",
"Colombia",
"Netherlands",
"Israel"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort.CW",
"display_name": "TrojanSpy:Win32/Nivdort.CW",
"target": "/malware/TrojanSpy:Win32/Nivdort.CW"
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "trojan.bayrob/lazy",
"display_name": "trojan.bayrob/lazy",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0030",
"name": "Defense Evasion",
"display_name": "TA0030 - Defense Evasion"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1167,
"FileHash-SHA1": 738,
"FileHash-SHA256": 3074,
"URL": 1019,
"domain": 1639,
"hostname": 973,
"email": 11,
"SSLCertFingerprint": 2
},
"indicator_count": 8623,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "668 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66141ecabe8f1ab189351dd3",
"name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring",
"description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related",
"modified": "2024-05-08T16:00:34.588000",
"created": "2024-04-08T16:43:54.908000",
"tags": [
"installer",
"tofsee",
"trojan",
"dropper",
"dns",
"as20940",
"united",
"aaaa",
"as15703",
"search",
"servers",
"as8455 schuberg",
"a domains",
"encrypt",
"code",
"tweakers",
"unknown",
"ransom",
"body",
"webcams",
"banker",
"location tracking",
"vehicle tracking",
"device tracking",
"exploitation",
"redirects",
"ip tracking",
"vpn nullify",
"vehicle keycodes",
"search threat",
"analyzer feeds",
"panel platform",
"search platform",
"profile user",
"iocs",
"redacted for",
"passive dns",
"all scoreblue",
"hostname",
"next",
"cnc",
"scanning host",
"milesone",
"virtual currency mining",
"crypto",
"regsetvalueexa",
"regdword",
"default",
"show",
"regbinary",
"read c",
"settingswpad",
"as15169",
"malware",
"copy",
"write",
"upatre",
"ids detections",
"scan endpoints",
"filehash",
"av detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"ransom",
"related pulses",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pe resource",
"august",
"win32",
"for privacy",
"creation date",
"name servers",
"urls",
"date",
"status",
"as15169 google",
"as44273 host",
"ipv4",
"pulse submit",
"url analysis",
"msie",
"chrome",
"moved",
"title",
"gmt content",
"apple",
"invalidate_gift_cards",
"tulach rebranded",
"hallrender rebranded",
"as8075",
"verdana",
"td tr",
"domain",
"germany unknown",
"as34011 host",
"etag",
"medium",
"module load",
"invalidate_google_play",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"win32 exe",
"win32 dll",
"javascript",
"mozilla firefox",
"edition",
"detections type",
"name",
"keeweb",
"setup",
"firefox setup",
"record type",
"ttl value",
"android",
"files",
"formbook",
"critical cmd",
"tracker",
"tsara brashears",
"remote",
"historical ssl",
"referrer",
"march",
"body html",
"head meta",
"moved title",
"head body",
"pegasus",
"nemtih",
"hit",
"men",
"gift_card_mining",
"google_play_card_mining",
"miner",
"htmladodb may",
"twitter",
"win64",
"as21342",
"as2914 ntt",
"as15334",
"error",
"certificate",
"checkbox",
"accept",
"record value",
"emails",
"domain name"
],
"references": [
"Virustotal - google.com.uy",
"https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]",
"Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring",
"https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect",
"https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales",
"nr-data.net [Apple Private Data Collection]",
"checkip.dyndns.org [command and control]",
"checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon",
"144.76.108.82 [scanning host]",
"Yara Detections PEtite24",
"FormBook IP: 142.251.211.243",
"https://pegasusm2.bullsbikesusa.com",
"https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Trojan:MSIL/TrojanDropper",
"display_name": "Trojan:MSIL/TrojanDropper",
"target": "/malware/Trojan:MSIL/TrojanDropper"
},
{
"id": "Installer",
"display_name": "Installer",
"target": null
},
{
"id": "Sf:Agent-DQ\\ [Trj]",
"display_name": "Sf:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre!rfn",
"display_name": "TrojanDownloader:Win32/Upatre!rfn",
"target": "/malware/TrojanDownloader:Win32/Upatre!rfn"
},
{
"id": "Win32:DropperX-gen\\ [Drp]",
"display_name": "Win32:DropperX-gen\\ [Drp]",
"target": null
},
{
"id": "Win.Trojan.Tofsee-9770082-1",
"display_name": "Win.Trojan.Tofsee-9770082-1",
"target": null
},
{
"id": "Ransom:Win32/StopCrypt.AK!MTB",
"display_name": "Ransom:Win32/StopCrypt.AK!MTB",
"target": "/malware/Ransom:Win32/StopCrypt.AK!MTB"
}
],
"attack_ids": [
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1574.005",
"name": "Executable Installer File Permissions Weakness",
"display_name": "T1574.005 - Executable Installer File Permissions Weakness"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
},
{
"id": "T1029",
"name": "Scheduled Transfer",
"display_name": "T1029 - Scheduled Transfer"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1013",
"name": "Port Monitors",
"display_name": "T1013 - Port Monitors"
},
{
"id": "T1430",
"name": "Location Tracking",
"display_name": "T1430 - Location Tracking"
},
{
"id": "T1468",
"name": "Remotely Track Device Without Authorization",
"display_name": "T1468 - Remotely Track Device Without Authorization"
},
{
"id": "T1450",
"name": "Exploit SS7 to Track Device Location",
"display_name": "T1450 - Exploit SS7 to Track Device Location"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1483",
"name": "Domain Generation Algorithms",
"display_name": "T1483 - Domain Generation Algorithms"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 392,
"FileHash-SHA1": 468,
"FileHash-SHA256": 3233,
"URL": 8667,
"domain": 2219,
"hostname": 3480,
"email": 8
},
"indicator_count": 18467,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 235,
"modified_text": "753 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f9a6c7f53e3e65891da823",
"name": "Emotet CnC Server| Injection | 192.96.223.11 - sectorlink.com |",
"description": "",
"modified": "2024-04-18T14:05:16.862000",
"created": "2024-03-19T14:52:55.036000",
"tags": [
"script urls",
"united",
"as12129",
"search",
"redacted for",
"entries",
"passive dns",
"urls",
"record value",
"date",
"unknown",
"encrypt",
"meta",
"address",
"creation date",
"customer",
"body",
"span",
"accept",
"apache",
"moved",
"gmt server",
"apache location",
"scan endpoints",
"all scoreblue",
"ipv4",
"gmt etag",
"accept encoding",
"user agent",
"x frame",
"privacy inc",
"next",
"for privacy",
"a domains",
"a li",
"div div",
"ul li",
"read c",
"write c",
"delete c",
"delete",
"write",
"create c",
"crlf line",
"default",
"medium",
"dock",
"execution",
"copy",
"xport",
"showing",
"number",
"sectorlink",
"eisert",
"google",
"basic",
"network",
"label",
"registry arin",
"country us",
"continent na",
"first",
"algorithm",
"v3 serial",
"subject public",
"key info",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"record type",
"ttl value",
"aaaa",
"zemqyj",
"full name",
"data",
"cus cnrapidssl",
"global tls",
"rsa4096 sha256",
"ca1 odigicert",
"server",
"whois lookup",
"dnssec",
"domain name",
"status",
"domain status",
"abuse contact",
"email",
"registrar abuse",
"issuer",
"ssl certificate",
"whois record",
"historical ssl",
"referrer",
"whois whois",
"resolutions",
"siblings domain",
"contacted",
"trojan",
"emotet",
"process32nextw",
"post",
"regsetvalueexa",
"win32emotet cnc",
"activity",
"regdword",
"post http",
"cryptexportkey",
"emotet",
"malware",
"win32"
],
"references": [
"192.96.223.11 - sectorlink.com",
"M9 W32/Emotet CnC Checkin M3"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win32:BankerX-gen\\ [Trj]",
"display_name": "Win32:BankerX-gen\\ [Trj]",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.004",
"name": "Server",
"display_name": "T1583.004 - Server"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 159,
"FileHash-SHA1": 148,
"FileHash-SHA256": 1504,
"URL": 2182,
"domain": 454,
"hostname": 993,
"email": 5,
"CIDR": 4
},
"indicator_count": 5449,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "773 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f4ba867ec44a4dc0e6fc96",
"name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com",
"description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.",
"modified": "2024-04-13T11:00:32.548000",
"created": "2024-03-15T21:15:50.802000",
"tags": [
"q htpps",
"g htpps",
"q https",
"virustotal",
"exif standard",
"tiff image",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"default",
"jpeg image",
"search",
"copy",
"code",
"write",
"pecompact",
"february",
"packer",
"delphi",
"win32",
"persistence",
"execution",
"next",
"create c",
"delete c",
"intel",
"ms windows",
"pe32",
"precreate read",
"united",
"show",
"regsetvalueexa",
"trojan",
"markus",
"mozilla",
"write c",
"json",
"entries",
"ascii text",
"data",
"as15169",
"error",
"malware",
"win64",
"denmark as32934",
"ip hostname",
"reverse ip",
"lookup country",
"as7018 att",
"as14618",
"as54113",
"country code",
"as36081 state",
"redirect chain",
"redirection",
"location",
"lakewood",
"emails",
"as name",
"ssl certificate",
"whois record",
"k0pmbc",
"spsfsb",
"zwdk9d",
"vwdzfe",
"contacted",
"referrer",
"ntmzac",
"historical ssl",
"august",
"hacktool",
"core",
"agent tesla",
"emotet",
"chaos",
"ransomexx",
"quasar",
"algorithm",
"v3 serial",
"number",
"cus cnamazon",
"validity",
"subject public",
"key info",
"key algorithm",
"key identifier",
"subject key",
"first",
"server",
"registrar abuse",
"date",
"markmonitor",
"epic games",
"iana id",
"contact phone",
"domain status",
"registrar whois",
"registrar",
"win32 exe",
"python",
"launchres",
"win32 dll",
"unrealengine",
"detections type",
"name",
"bundled",
"ctsu",
"smokeloader",
"privateloader",
"relic",
"monitoring",
"startpage",
"\u7f8e\u5973\u76f4\u64ad",
"\u7f8e\u5973\u89c6\u9891",
"\u7f8e\u5973\u4e3b\u64ad",
"\u89c6\u9891\u804a\u5929",
"\u89c6\u9891\u4ea4\u53cb",
"\u7f8e\u5973\u4ea4\u53cb",
"\u7f8e\u5973\u79c0\u573a",
"\u6e05\u7eaf\u7f8e\u5973",
"\u6027\u611f\u7f8e\u5973",
"\u7f8e\u5973\u4e92\u52a8",
"\u7f8e\u5973\u804a\u5929",
"\u7f8e\u5973\u5728\u7ebf\u8868\u6f14",
"\u7f8e\u5973\u76f4\u64ad\u95f4",
"\u7f8e\u5973\u804a\u5929\u5ba4",
"icp2021030667",
"0110542",
"copyright",
"rights reserved",
"resolutions",
"contacted urls",
"siblings domain",
"siblings",
"parent domain",
"cname",
"whitelisted",
"status",
"as15169 google",
"asnone united",
"servers",
"aaaa",
"body",
"sample",
"samples",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"site top",
"heur",
"alexa top",
"safe site",
"million",
"million alexa",
"site safe",
"malicious site",
"unsafe",
"alexa",
"riskware",
"artemis",
"blacknet rat",
"quasar rat",
"crack",
"presenoker",
"dapato",
"stealer",
"phish",
"memscan",
"nsis",
"phishing",
"bulz",
"maltiverse",
"trojanspy",
"blacknet",
"zbot",
"aig",
"unknown",
"passive dns",
"urls",
"expiresthu",
"gmt path",
"scan endpoints",
"encrypt",
"dynamicloader",
"high",
"medium",
"qaeaav12",
"windows",
"cape",
"windows wget",
"suspicious",
"powershell",
"canvas",
"form",
"showing",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"cus cnr3",
"olet",
"l http",
"wifi",
"wifi access",
"wifi hotspot",
"wifi internet",
"southwest wifi",
"inflight",
"inflight entertainment",
"southwest",
"comedy",
"internet",
"strong",
"drama",
"google chrome",
"business select",
"internet access",
"apple safari",
"book",
"rapid",
"love",
"summer",
"poppy",
"floyd",
"district",
"jackson",
"kevin",
"live",
"music",
"upgrade",
"gift",
"lost",
"carol",
"canada",
"cobalt strike",
"malicious",
"fragtor",
"phishing paypal",
"mail spammer"
],
"references": [
"https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420",
"tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate",
"Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com",
"Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net",
"Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3",
"https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357",
"Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.",
"Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.",
"Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI",
"'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.",
"'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.",
"'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.",
"Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.",
"Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.",
"'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.",
"Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.",
"Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.",
"Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.",
"Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.",
"Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.",
"Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.",
"Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.",
"Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.",
"I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.",
"Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.",
"You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.",
"Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...",
"Self whitelisting tool, domains moved within nginx."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Bulz",
"display_name": "Bulz",
"target": null
},
{
"id": "Quasar",
"display_name": "Quasar",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Fragtor",
"display_name": "Fragtor",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 60,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8753,
"domain": 1525,
"hostname": 3740,
"FileHash-SHA256": 6746,
"FileHash-MD5": 619,
"FileHash-SHA1": 509,
"SSLCertFingerprint": 3,
"CVE": 8,
"CIDR": 5,
"email": 7
},
"indicator_count": 21915,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "778 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f980ad16123b5d52f5f76f",
"name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]",
"description": "",
"modified": "2024-04-13T11:00:32.548000",
"created": "2024-03-19T12:10:21.291000",
"tags": [
"q htpps",
"g htpps",
"q https",
"virustotal",
"exif standard",
"tiff image",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"default",
"jpeg image",
"search",
"copy",
"code",
"write",
"pecompact",
"february",
"packer",
"delphi",
"win32",
"persistence",
"execution",
"next",
"create c",
"delete c",
"intel",
"ms windows",
"pe32",
"precreate read",
"united",
"show",
"regsetvalueexa",
"trojan",
"markus",
"mozilla",
"write c",
"json",
"entries",
"ascii text",
"data",
"as15169",
"error",
"malware",
"win64",
"denmark as32934",
"ip hostname",
"reverse ip",
"lookup country",
"as7018 att",
"as14618",
"as54113",
"country code",
"as36081 state",
"redirect chain",
"redirection",
"location",
"lakewood",
"emails",
"as name",
"ssl certificate",
"whois record",
"k0pmbc",
"spsfsb",
"zwdk9d",
"vwdzfe",
"contacted",
"referrer",
"ntmzac",
"historical ssl",
"august",
"hacktool",
"core",
"agent tesla",
"emotet",
"chaos",
"ransomexx",
"quasar",
"algorithm",
"v3 serial",
"number",
"cus cnamazon",
"validity",
"subject public",
"key info",
"key algorithm",
"key identifier",
"subject key",
"first",
"server",
"registrar abuse",
"date",
"markmonitor",
"epic games",
"iana id",
"contact phone",
"domain status",
"registrar whois",
"registrar",
"win32 exe",
"python",
"launchres",
"win32 dll",
"unrealengine",
"detections type",
"name",
"bundled",
"ctsu",
"smokeloader",
"privateloader",
"relic",
"monitoring",
"startpage",
"\u7f8e\u5973\u76f4\u64ad",
"\u7f8e\u5973\u89c6\u9891",
"\u7f8e\u5973\u4e3b\u64ad",
"\u89c6\u9891\u804a\u5929",
"\u89c6\u9891\u4ea4\u53cb",
"\u7f8e\u5973\u4ea4\u53cb",
"\u7f8e\u5973\u79c0\u573a",
"\u6e05\u7eaf\u7f8e\u5973",
"\u6027\u611f\u7f8e\u5973",
"\u7f8e\u5973\u4e92\u52a8",
"\u7f8e\u5973\u804a\u5929",
"\u7f8e\u5973\u5728\u7ebf\u8868\u6f14",
"\u7f8e\u5973\u76f4\u64ad\u95f4",
"\u7f8e\u5973\u804a\u5929\u5ba4",
"icp2021030667",
"0110542",
"copyright",
"rights reserved",
"resolutions",
"contacted urls",
"siblings domain",
"siblings",
"parent domain",
"cname",
"whitelisted",
"status",
"as15169 google",
"asnone united",
"servers",
"aaaa",
"body",
"sample",
"samples",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"site top",
"heur",
"alexa top",
"safe site",
"million",
"million alexa",
"site safe",
"malicious site",
"unsafe",
"alexa",
"riskware",
"artemis",
"blacknet rat",
"quasar rat",
"crack",
"presenoker",
"dapato",
"stealer",
"phish",
"memscan",
"nsis",
"phishing",
"bulz",
"maltiverse",
"trojanspy",
"blacknet",
"zbot",
"aig",
"unknown",
"passive dns",
"urls",
"expiresthu",
"gmt path",
"scan endpoints",
"encrypt",
"dynamicloader",
"high",
"medium",
"qaeaav12",
"windows",
"cape",
"windows wget",
"suspicious",
"powershell",
"canvas",
"form",
"showing",
"all octoseek",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"cus cnr3",
"olet",
"l http",
"wifi",
"wifi access",
"wifi hotspot",
"wifi internet",
"southwest wifi",
"inflight",
"inflight entertainment",
"southwest",
"comedy",
"internet",
"strong",
"drama",
"google chrome",
"business select",
"internet access",
"apple safari",
"book",
"rapid",
"love",
"summer",
"poppy",
"floyd",
"district",
"jackson",
"kevin",
"live",
"music",
"upgrade",
"gift",
"lost",
"carol",
"canada",
"cobalt strike",
"malicious",
"fragtor",
"phishing paypal",
"mail spammer"
],
"references": [
"https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420",
"tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate",
"Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com",
"Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net",
"Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3",
"https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357",
"Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.",
"Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.",
"Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI",
"'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.",
"'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.",
"'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.",
"Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.",
"Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.",
"'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.",
"Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.",
"Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.",
"Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.",
"Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.",
"Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.",
"Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.",
"Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.",
"Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.",
"I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.",
"Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.",
"You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.",
"Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...",
"Self whitelisting tool, domains moved within nginx."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Bulz",
"display_name": "Bulz",
"target": null
},
{
"id": "Quasar",
"display_name": "Quasar",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Fragtor",
"display_name": "Fragtor",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65f4ba867ec44a4dc0e6fc96",
"export_count": 51,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8753,
"domain": 1525,
"hostname": 3740,
"FileHash-SHA256": 6746,
"FileHash-MD5": 619,
"FileHash-SHA1": 509,
"SSLCertFingerprint": 3,
"CVE": 8,
"CIDR": 5,
"email": 7
},
"indicator_count": 21915,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 238,
"modified_text": "778 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65eada25525805ad74c32b54",
"name": "(Cloned from OTX user) OTX pulses modified and deleted by ???",
"description": "",
"modified": "2024-04-06T11:00:59.869000",
"created": "2024-03-08T09:28:05.923000",
"tags": [
"referrer",
"execution",
"dropped",
"apple ios",
"contacted",
"partru",
"sneaky server",
"replacement",
"unauthorized",
"emotet",
"submission",
"alienvault",
"open threat",
"learn",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"google tag",
"gtmkvjvztk",
"anchor hrefs",
"urls",
"domains",
"registrar",
"ltd dba",
"com laude",
"markmonitor",
"ip detections",
"country",
"graph",
"hashes cape",
"sandbox",
"zenbox",
"files c",
"filesgoogle c",
"written c",
"extensions",
"process",
"created",
"processes tree",
"hour ago",
"scan endpoints",
"all scoreblue",
"report spam",
"modified",
"scan",
"iocs",
"learn more",
"hostname",
"filehashsha256",
"next",
"url https",
"url http",
"adriana1984 mar",
"role title",
"added active",
"related pulses",
"entries",
"united",
"asnone united",
"aaaa",
"simple secure",
"passive dns",
"search",
"showing",
"class",
"status",
"creation date",
"servers",
"name servers",
"date",
"title error",
"body",
"files ip",
"address",
"location united",
"asn asnone",
"nameservers",
"unknown",
"ddos",
"ipv4",
"pulse submit",
"url analysis"
],
"references": [
"David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)",
"b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk",
"Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov",
"https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k",
"https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2",
"https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js",
"https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr",
"Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |",
"http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact",
"https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__",
"login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link",
"https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)",
"https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js",
"https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2",
"https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8",
"https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr",
"server-18-161-6-16.hio52.r.cloudfront.net",
"http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)",
"http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs",
"Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included",
"Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks",
"A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.",
"Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change",
"Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1555.005",
"name": "Password Managers",
"display_name": "T1555.005 - Password Managers"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1162",
"name": "Login Item",
"display_name": "T1162 - Login Item"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65e9b2408fd9557692402b03",
"export_count": 42,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 260,
"FileHash-SHA1": 196,
"FileHash-SHA256": 1855,
"URL": 1204,
"domain": 225,
"hostname": 466,
"CVE": 2,
"email": 3
},
"indicator_count": 4211,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "785 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65e9b2408fd9557692402b03",
"name": "Why are OTX pulses modified and by whom when it's not the user?",
"description": "There are several OTC accounts that are experiencing unauthorized logins. Users have a common theme, keen awareness, learning from experiences, Apple , state, gov personal accounts of being hacked, have personal network/router , phone or relatives and.or associated (civil society) experiencing cyber attacks.Indicators are being removed at record pace. Some pulses have been deleted altogether. Threat actors are logging in as user by exploiting or creating a vulnerability on user device or login. From what I've learned , there is a history on user device. I hope I'm still allowed to use platform after this. I noticed some accounts were submitting and modifying 24/7. A user in a TH group forum discussed bulk deletion, non-public modified and deleted Pulses.",
"modified": "2024-04-06T11:00:59.869000",
"created": "2024-03-07T12:25:36.098000",
"tags": [
"referrer",
"execution",
"dropped",
"apple ios",
"contacted",
"partru",
"sneaky server",
"replacement",
"unauthorized",
"emotet",
"submission",
"alienvault",
"open threat",
"learn",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"google tag",
"gtmkvjvztk",
"anchor hrefs",
"urls",
"domains",
"registrar",
"ltd dba",
"com laude",
"markmonitor",
"ip detections",
"country",
"graph",
"hashes cape",
"sandbox",
"zenbox",
"files c",
"filesgoogle c",
"written c",
"extensions",
"process",
"created",
"processes tree",
"hour ago",
"scan endpoints",
"all scoreblue",
"report spam",
"modified",
"scan",
"iocs",
"learn more",
"hostname",
"filehashsha256",
"next",
"url https",
"url http",
"adriana1984 mar",
"role title",
"added active",
"related pulses",
"entries",
"united",
"asnone united",
"aaaa",
"simple secure",
"passive dns",
"search",
"showing",
"class",
"status",
"creation date",
"servers",
"name servers",
"date",
"title error",
"body",
"files ip",
"address",
"location united",
"asn asnone",
"nameservers",
"unknown",
"ddos",
"ipv4",
"pulse submit",
"url analysis"
],
"references": [
"David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)",
"b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk",
"Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov",
"https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k",
"https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2",
"https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js",
"https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr",
"Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |",
"http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact",
"https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__",
"login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link",
"https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)",
"https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js",
"https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2",
"https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8",
"https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr",
"server-18-161-6-16.hio52.r.cloudfront.net",
"http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)",
"http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs",
"Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included",
"Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks",
"A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.",
"Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change",
"Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1555.005",
"name": "Password Managers",
"display_name": "T1555.005 - Password Managers"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1162",
"name": "Login Item",
"display_name": "T1162 - Login Item"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 260,
"FileHash-SHA1": 196,
"FileHash-SHA256": 1855,
"URL": 1204,
"domain": 225,
"hostname": 466,
"CVE": 2,
"email": 3
},
"indicator_count": 4211,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "785 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cdac46a01234da94a42565",
"name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver",
"description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.",
"modified": "2024-03-16T05:00:42.461000",
"created": "2024-02-15T06:16:38.290000",
"tags": [
"dns resolutions",
"ip traffic",
"hashes",
"file type",
"name file",
"ip detections",
"country",
"search",
"zbot type",
"indicator role",
"active related",
"filehashsha256",
"entries",
"brian sabey",
"ssl certificate",
"contacted",
"resolutions",
"communicating",
"referrer",
"emotet emotet",
"malware emotet",
"http",
"emotet",
"whois record",
"contacted urls",
"bundled",
"threat roundup",
"historical ssl",
"execution",
"attack",
"probe",
"service",
"startpage",
"core",
"hiddentear",
"guid",
"ransomexx",
"azorult",
"lightning",
"ursnif",
"agent tesla",
"quasar",
"trickbot",
"project",
"remcos",
"evilnum",
"asyncrat",
"matanbuchus",
"cobalt strike",
"metro",
"intel",
"ms windows",
"pe32",
"show",
"trojan",
"copy",
"windows",
"read",
"write",
"february",
"delphi",
"win32",
"ransomware",
"united",
"unknown",
"as44273 host",
"moved",
"passive dns",
"gmt content",
"scan endpoints",
"all octoseek",
"pulse pulses",
"urls",
"body",
"date",
"encrypt",
"trojandropper",
"ipv4",
"virtool",
"junkpoly",
"worm",
"msie",
"chrome",
"status",
"creation date",
"servers",
"record value",
"javascript",
"please",
"june",
"august",
"malware",
"whois whois",
"njrat",
"ransomware",
"siblings domain",
"tulach",
"hallrender",
"cyber espionage",
"cyberstalking"
],
"references": [
"POD 18447 for Cox.xls",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed",
"1.download.windowsupdate.com [HiddenTear]",
"https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]",
"https://gronthoghor.com/xoe/qbot.zip \u2022",
"Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "HiddenTear",
"display_name": "HiddenTear",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ZBot",
"display_name": "ZBot",
"target": null
},
{
"id": "QBot",
"display_name": "QBot",
"target": null
},
{
"id": "Delphi",
"display_name": "Delphi",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 60,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5573,
"hostname": 1806,
"FileHash-SHA256": 5748,
"domain": 1677,
"FileHash-MD5": 349,
"FileHash-SHA1": 348,
"CVE": 3,
"email": 3
},
"indicator_count": 15507,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cdac3ba9d7f42c0ed9c46d",
"name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver",
"description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.",
"modified": "2024-03-16T05:00:42.461000",
"created": "2024-02-15T06:16:27.967000",
"tags": [
"dns resolutions",
"ip traffic",
"hashes",
"file type",
"name file",
"ip detections",
"country",
"search",
"zbot type",
"indicator role",
"active related",
"filehashsha256",
"entries",
"brian sabey",
"ssl certificate",
"contacted",
"resolutions",
"communicating",
"referrer",
"emotet emotet",
"malware emotet",
"http",
"emotet",
"whois record",
"contacted urls",
"bundled",
"threat roundup",
"historical ssl",
"execution",
"attack",
"probe",
"service",
"startpage",
"core",
"hiddentear",
"guid",
"ransomexx",
"azorult",
"lightning",
"ursnif",
"agent tesla",
"quasar",
"trickbot",
"project",
"remcos",
"evilnum",
"asyncrat",
"matanbuchus",
"cobalt strike",
"metro",
"intel",
"ms windows",
"pe32",
"show",
"trojan",
"copy",
"windows",
"read",
"write",
"february",
"delphi",
"win32",
"ransomware",
"united",
"unknown",
"as44273 host",
"moved",
"passive dns",
"gmt content",
"scan endpoints",
"all octoseek",
"pulse pulses",
"urls",
"body",
"date",
"encrypt",
"trojandropper",
"ipv4",
"virtool",
"junkpoly",
"worm",
"msie",
"chrome",
"status",
"creation date",
"servers",
"record value",
"javascript",
"please",
"june",
"august",
"malware",
"whois whois",
"njrat",
"ransomware",
"siblings domain",
"tulach",
"hallrender",
"cyber espionage",
"cyberstalking"
],
"references": [
"POD 18447 for Cox.xls",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed",
"1.download.windowsupdate.com [HiddenTear]",
"https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]",
"https://gronthoghor.com/xoe/qbot.zip \u2022",
"Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "HiddenTear",
"display_name": "HiddenTear",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ZBot",
"display_name": "ZBot",
"target": null
},
{
"id": "QBot",
"display_name": "QBot",
"target": null
},
{
"id": "Delphi",
"display_name": "Delphi",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 58,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5573,
"hostname": 1806,
"FileHash-SHA256": 5748,
"domain": 1677,
"FileHash-MD5": 349,
"FileHash-SHA1": 348,
"CVE": 3,
"email": 3
},
"indicator_count": 15507,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb4772c3d3ad1f7accc98a",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:53.179000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "808 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb476d935dd560b4a3e938",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.380000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "808 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb476d0566c2d07e474df5",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.140000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "808 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb4768b06f4da2fba5959b",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:44.270000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "808 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c1cdc5d695c35205593bde",
"name": "https://callback.mobileboost.me",
"description": "cobalt strike cnc, malware, network, execution, antivm_queries_computername, tulach, schema abuse, callback, contact, malicious, boost mobile, t-mobile, targets,Tsara, brashears, cyber threat, hacking, sabey, data center, cyber, cp",
"modified": "2024-03-07T05:01:03.052000",
"created": "2024-02-06T06:12:21.372000",
"tags": [
"passive dns",
"urls",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"files",
"domain",
"files ip",
"address domain",
"url https",
"http",
"files domain",
"files related",
"cname",
"united",
"unknown",
"nxdomain",
"a nxdomain",
"ssl certificate",
"contacted",
"whois record",
"resolutions",
"whois whois",
"historical ssl",
"referrer",
"problems",
"execution",
"subdomains",
"startpage",
"simda",
"first",
"utc submissions",
"submitters",
"psiusa",
"domain robot",
"csc corporate",
"domains",
"tucows",
"ltd dba",
"com laude",
"twitter",
"indonesia",
"installer",
"kgs0",
"kls0",
"redlinestealer",
"kangen",
"china telecom",
"group",
"computer",
"company limited",
"summary iocs",
"malware",
"network",
"obz4usfn0 http",
"contacted urls",
"gootloader",
"iframe",
"stus",
"cnus",
"regsetvalueexa",
"cobalt strike",
"search",
"regdword",
"ssl cert",
"tlsv1 apr",
"cobaltstrike",
"trojan",
"copy",
"write",
"june",
"win64",
"porkbun llc",
"mb opera",
"china unicom",
"tmobileas21928",
"graph community",
"china education",
"center",
"showing",
"entries"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1874,
"hostname": 2812,
"URL": 8308,
"FileHash-SHA256": 5549,
"FileHash-MD5": 364,
"FileHash-SHA1": 326,
"email": 3,
"SSLCertFingerprint": 1
},
"indicator_count": 19237,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "815 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659ab33e614882a4a7451ca8",
"name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/",
"description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears",
"modified": "2024-02-06T14:00:04.985000",
"created": "2024-01-07T14:20:46.936000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"key identifier",
"redacted for",
"privacy tech",
"privacy admin",
"date",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"whois record",
"ssl certificate",
"historical ssl",
"whois whois",
"september",
"redline stealer",
"whois",
"threat roundup",
"bangladesh",
"communicating",
"prynt stealer",
"banker",
"keylogger",
"dtrack",
"prynt",
"name verdict",
"falcon sandbox",
"pattern match",
"jpeg image",
"jfif",
"ascii text",
"united",
"appdata",
"file",
"indicator",
"et tor",
"known tor",
"class",
"unknown",
"general",
"hybrid",
"local",
"win64",
"click",
"twitter",
"strings",
"generator",
"critical",
"error",
"trident",
"cascade",
"darpa",
"registrar",
"rdds service",
"record",
"registrant",
"admin",
"tech contact",
"whois service",
"form",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"headers nel",
"contentencoding",
"gmt connection",
"search",
"for privacy",
"status",
"showing",
"passive dns",
"urls",
"ionos se",
"creation date",
"next",
"aaaa",
"pulse pulses",
"files",
"united kingdom",
"whitelisted",
"worm",
"gmt contenttype",
"scan endpoints",
"all octoseek",
"ipv4",
"body",
"http",
"unique",
"screenshot",
"url http",
"ip address",
"internet se",
"emails",
"name servers",
"dnssec",
"as63949 linode",
"all search",
"otx octoseek",
"related nids",
"reverse dns",
"netherlands asn",
"contacted",
"resolutions",
"referrer",
"mirai malware",
"urls http",
"parent referrer",
"certificate",
"record value",
"entries",
"dynamicloader",
"yara rule",
"high",
"sinkhole cookie",
"et trojan",
"medium",
"yara detections",
"virtool",
"value snkz",
"less see",
"possible",
"august",
"copy",
"expiro",
"public folder",
"pictures",
"videos",
"music",
"anomalous file",
"media player",
"url https",
"delete c",
"ms windows",
"pe32",
"intel",
"windows nt",
"wow64",
"khtml",
"gecko",
"query",
"write",
"malware",
"template",
"findwindowa",
"ollydbg",
"regsetvalueexa",
"regdword",
"high process",
"x8bxe5",
"regbinary",
"injection t1055",
"t1055",
"zeppelin",
"win32",
"internal",
"malware beacon",
"a checkin",
"create c",
"read c",
"write c",
"msie",
"suspicious",
"slcc2",
"media center",
"as20940",
"as2914 ntt",
"as16625 akamai",
"a domains",
"cdata",
"script",
"as8068",
"mtb oct",
"location canada",
"trojanspy",
"xpire.info",
"searchmeup",
"cname",
"as35994 akamai",
"as14061",
"as9009 m247",
"samples",
"as25577 ide",
"hostnames",
"show",
"info compiler",
"products",
"vs2008 sp1",
"vs2008",
"vs2010",
"header target",
"machine intel",
"utc entry",
"point",
"sections",
"info",
"hashes c2ae",
"zenbox",
"detections file",
"name",
"html",
"win32 exe",
"javascript",
"contacted ip",
"ip detections",
"gandi sas",
"godaddy online",
"cayman",
"dynadot",
"domains",
"psiusa",
"domain robot",
"dynadot inc",
"net technology",
"tsara brashears",
"apple phone",
"unlocker",
"shell code",
"simda",
"amazon 02",
"metro",
"infected",
"qakbot"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Prynt",
"display_name": "Prynt",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Xpire.info",
"display_name": "Xpire.info",
"target": null
},
{
"id": "Searchmeup",
"display_name": "Searchmeup",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2129,
"FileHash-SHA1": 1459,
"FileHash-SHA256": 5050,
"URL": 7341,
"domain": 3041,
"hostname": 3214,
"email": 12,
"CVE": 1
},
"indicator_count": 22247,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "845 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659ab3389d6c91dc01801fe5",
"name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/",
"description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears",
"modified": "2024-02-06T14:00:04.985000",
"created": "2024-01-07T14:20:40.610000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"key identifier",
"redacted for",
"privacy tech",
"privacy admin",
"date",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"whois record",
"ssl certificate",
"historical ssl",
"whois whois",
"september",
"redline stealer",
"whois",
"threat roundup",
"bangladesh",
"communicating",
"prynt stealer",
"banker",
"keylogger",
"dtrack",
"prynt",
"name verdict",
"falcon sandbox",
"pattern match",
"jpeg image",
"jfif",
"ascii text",
"united",
"appdata",
"file",
"indicator",
"et tor",
"known tor",
"class",
"unknown",
"general",
"hybrid",
"local",
"win64",
"click",
"twitter",
"strings",
"generator",
"critical",
"error",
"trident",
"cascade",
"darpa",
"registrar",
"rdds service",
"record",
"registrant",
"admin",
"tech contact",
"whois service",
"form",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"headers nel",
"contentencoding",
"gmt connection",
"search",
"for privacy",
"status",
"showing",
"passive dns",
"urls",
"ionos se",
"creation date",
"next",
"aaaa",
"pulse pulses",
"files",
"united kingdom",
"whitelisted",
"worm",
"gmt contenttype",
"scan endpoints",
"all octoseek",
"ipv4",
"body",
"http",
"unique",
"screenshot",
"url http",
"ip address",
"internet se",
"emails",
"name servers",
"dnssec",
"as63949 linode",
"all search",
"otx octoseek",
"related nids",
"reverse dns",
"netherlands asn",
"contacted",
"resolutions",
"referrer",
"mirai malware",
"urls http",
"parent referrer",
"certificate",
"record value",
"entries",
"dynamicloader",
"yara rule",
"high",
"sinkhole cookie",
"et trojan",
"medium",
"yara detections",
"virtool",
"value snkz",
"less see",
"possible",
"august",
"copy",
"expiro",
"public folder",
"pictures",
"videos",
"music",
"anomalous file",
"media player",
"url https",
"delete c",
"ms windows",
"pe32",
"intel",
"windows nt",
"wow64",
"khtml",
"gecko",
"query",
"write",
"malware",
"template",
"findwindowa",
"ollydbg",
"regsetvalueexa",
"regdword",
"high process",
"x8bxe5",
"regbinary",
"injection t1055",
"t1055",
"zeppelin",
"win32",
"internal",
"malware beacon",
"a checkin",
"create c",
"read c",
"write c",
"msie",
"suspicious",
"slcc2",
"media center",
"as20940",
"as2914 ntt",
"as16625 akamai",
"a domains",
"cdata",
"script",
"as8068",
"mtb oct",
"location canada",
"trojanspy",
"xpire.info",
"searchmeup",
"cname",
"as35994 akamai",
"as14061",
"as9009 m247",
"samples",
"as25577 ide",
"hostnames",
"show",
"info compiler",
"products",
"vs2008 sp1",
"vs2008",
"vs2010",
"header target",
"machine intel",
"utc entry",
"point",
"sections",
"info",
"hashes c2ae",
"zenbox",
"detections file",
"name",
"html",
"win32 exe",
"javascript",
"contacted ip",
"ip detections",
"gandi sas",
"godaddy online",
"cayman",
"dynadot",
"domains",
"psiusa",
"domain robot",
"dynadot inc",
"net technology",
"tsara brashears",
"apple phone",
"unlocker",
"shell code",
"simda",
"amazon 02",
"metro",
"infected",
"qakbot"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Prynt",
"display_name": "Prynt",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Xpire.info",
"display_name": "Xpire.info",
"target": null
},
{
"id": "Searchmeup",
"display_name": "Searchmeup",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2129,
"FileHash-SHA1": 1459,
"FileHash-SHA256": 5050,
"URL": 7341,
"domain": 3041,
"hostname": 3214,
"email": 12,
"CVE": 1
},
"indicator_count": 22247,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "845 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "658481716d9034bb0d52212d",
"name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network",
"description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.",
"modified": "2024-01-20T14:03:29.247000",
"created": "2023-12-21T18:18:25.746000",
"tags": [
"bitrep",
"learn",
"apple card",
"apple",
"apple store",
"apple tv",
"watch vision",
"airpods tv",
"apple watch",
"buy apple",
"apple trade",
"footer",
"media",
"find",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"malicious site",
"hostname",
"hostnames",
"detection list",
"blacklist",
"malware",
"alexa",
"ip address",
"whois record",
"ssl certificate",
"iocs",
"whois whois",
"historical ssl",
"communicating",
"threat network",
"ioc search",
"new ioc",
"teams api",
"contact",
"attack",
"probe",
"search",
"threat",
"paste",
"contacted",
"april",
"threat roundup",
"pe resource",
"lcid1033",
"smlen",
"spn647",
"bv6fet56ww",
"february",
"core",
"name verdict",
"falcon sandbox",
"threat analyzer",
"samples",
"generic malware",
"tag count",
"malware generic",
"tue dec",
"threat report",
"summary",
"first",
"http response",
"final url",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server apple",
"connection",
"html info",
"title apple",
"meta tags",
"indextab og",
"apple og",
"spyware",
"plugins",
"cab",
"fraud urls",
"data collection",
"staged data",
"privilege escalation",
"defense evasion",
"evasive",
"stealthy",
"serial number",
"symantec time",
"stamping",
"algorithm",
"thumbprint",
"from",
"symantec sha256",
"sha256 code",
"signing ca",
"class",
"vhash",
"authentihash",
"imphash",
"rich pe",
"ssdeep",
"file type",
"win32 dll",
"magic pe32",
"intel",
"ms windows",
"compiler",
"vs2008",
"rticon english",
"vs2005",
"chi2",
"contained",
"info compiler",
"products",
"header target",
"machine intel",
"utc entry",
"floxif",
"serving ip",
"address",
"headers nel",
"dynamic expires",
"gmt server",
"file sharing",
"personal data"
],
"references": [
"https://www.apple.com/qtactivex/qtplugin.cab",
"https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]",
"http://www.screensaver.com/ruxitbeacon",
"https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]",
"http://dns1.whitelist.camect.com [interesting]",
"https://www.jbits.courts.state.co [interesting]",
"http://www.sos.state.co/ [interesting]",
"https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary",
"https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary",
"Crowdsourced YARA Rulesets",
"Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems",
"Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security",
"Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth",
"https://www.malwarebytes.com/blog/detections/trojan-floxif",
"20.190.160.2 Microsoft [exploit_source]",
"20.190.160.67 Microsoft [exploit_source]",
"20.190.160.73 Microsoft [exploit_source]",
"watson.events.data.microsoft.com [traffic manager]",
"http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]",
"watson.telemetry.microsoft.us [Data traffic manager]",
"www.anyxxxtube.net [tracking]",
"https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Apple",
"display_name": "Apple",
"target": null
}
],
"attack_ids": [
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 609,
"FileHash-SHA1": 361,
"FileHash-SHA256": 1977,
"domain": 460,
"hostname": 992,
"URL": 3115
},
"indicator_count": 7514,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "862 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a161f0681f4ff3d67feb",
"name": "Pool's Closed (by @scnrscnr)",
"description": "",
"modified": "2023-12-06T16:29:21.844000",
"created": "2023-12-06T16:29:21.844000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 7844,
"FileHash-MD5": 562,
"FileHash-SHA1": 429,
"URL": 22749,
"hostname": 9461,
"domain": 4578,
"SSLCertFingerprint": 20,
"CIDR": 32,
"email": 3,
"CVE": 2
},
"indicator_count": 45680,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a145926a5676de0e2a1a",
"name": "Pool's Closed (by @scnrscnr)",
"description": "",
"modified": "2023-12-06T16:28:53.979000",
"created": "2023-12-06T16:28:53.979000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 7844,
"FileHash-MD5": 562,
"FileHash-SHA1": 429,
"URL": 22749,
"hostname": 9461,
"domain": 4578,
"SSLCertFingerprint": 20,
"CIDR": 32,
"email": 3,
"CVE": 2
},
"indicator_count": 45680,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a0730b6595444a3fdd98",
"name": "High Priority \u2206 Virus:Win32/Neshta.A || Yara Detection MAL_Netsha_Mar20_1 , Delphi",
"description": "",
"modified": "2023-12-06T16:25:23.940000",
"created": "2023-12-06T16:25:23.940000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 360,
"FileHash-MD5": 441,
"FileHash-SHA256": 1564,
"domain": 89,
"URL": 694,
"FileHash-SHA1": 428,
"SSLCertFingerprint": 5
},
"indicator_count": 3581,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657095e8a38dccaa9c0dfd29",
"name": "escaneo spam, bots y anonimizacion din\u00e1mica diciembre",
"description": "",
"modified": "2023-12-06T15:40:24.674000",
"created": "2023-12-06T15:40:24.674000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 615,
"CVE": 2,
"domain": 553,
"hostname": 915,
"URL": 2004
},
"indicator_count": 4089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657081a5d60fafd1374f007d",
"name": "| 35.241.45.82",
"description": "",
"modified": "2023-12-06T14:13:57.431000",
"created": "2023-12-06T14:13:57.431000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-SHA256": 1091,
"domain": 281,
"hostname": 867,
"URL": 3341,
"FileHash-SHA1": 523,
"FileHash-MD5": 166
},
"indicator_count": 6270,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65707bf3841fe9f857870735",
"name": "Jack Posobiec\u2019s Pay-share.com Bonanza",
"description": "",
"modified": "2023-12-06T13:49:39.465000",
"created": "2023-12-06T13:49:39.465000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3887,
"hostname": 1423,
"domain": 675,
"FileHash-SHA256": 2044,
"FileHash-MD5": 245,
"FileHash-SHA1": 212,
"CIDR": 18,
"email": 10,
"CVE": 3,
"SSLCertFingerprint": 6
},
"indicator_count": 8523,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65707b9630308cb99a817277",
"name": "Pool's Closed",
"description": "",
"modified": "2023-12-06T13:48:06.514000",
"created": "2023-12-06T13:48:06.514000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 7844,
"FileHash-MD5": 562,
"FileHash-SHA1": 429,
"URL": 22749,
"hostname": 9461,
"domain": 4578,
"SSLCertFingerprint": 20,
"CIDR": 32,
"email": 3,
"CVE": 2
},
"indicator_count": 45680,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64e572236d40e24baf4ad2d0",
"name": "High Priority \u2206 Virus:Win32/Neshta.A || Yara Detection MAL_Netsha_Mar20_1 , Delphi",
"description": "Win32/Neshta.A is a highly destructive file infector. No permissions. The virus downloads itself without obvious detection. Persistence. Changes default value of registry. The virus searches local drives for files, injection of malice virus code. Can render device a zombie even after all infected files are removed.\nTargets Windows systems.\nPEXE - PE32 executable (GUI) Intel 80386, for MS Windows\nMALICIOUS \nWin32:Apanas\\ [Trj]\nWin.Trojan.Neshuta-1\nVirus:Win32/Neshta.A\nYara Detections\nMAL_Netsha_Mar20_1\nDelphi\nAlerts\nnetwork_icmp\npersistence_autorun\nmodifies_certificates\ninjection_resumethread\ndumped_buffer\nnetwork_http\nsuspicious_tld\nallocates_rwx\ncreates_exe\ndropper",
"modified": "2023-09-22T03:02:56.838000",
"created": "2023-08-23T02:42:43.850000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1358,
"FileHash-SHA1": 1314,
"FileHash-SHA256": 6030,
"hostname": 558,
"domain": 271,
"URL": 1145,
"SSLCertFingerprint": 15
},
"indicator_count": 10691,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "982 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"",
"trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758",
"Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0",
"Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
"https://es.pornhat.com/models/the-sex-creator/",
"Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad",
"Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"https://m.bigwetbutts.com/ tmi",
"https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details",
"IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS",
"Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile",
"Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]",
"Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.",
"https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales",
"watson.events.data.microsoft.com [traffic manager]",
"https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark",
"Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.",
"Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
"networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496",
"https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html",
"Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc",
"Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.",
"http://www.sos.state.co/ [interesting]",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001",
"Pool's Closed",
"checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon",
"http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022",
"https://pegasusm2.bullsbikesusa.com",
"Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys",
"There is fear in silence or speaking out",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com",
"IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
"Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat",
"iamrobert.com Y.A.S.",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"www.opencandy.com",
"Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"Yara Detections: Delphi",
"Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth",
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"QuantumFiber.com a 2nd look",
"https://www.mlkfoundation.net/ (Foundry DGA)",
"TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
"Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120",
"https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU",
"Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
"https://www.jbits.courts.state.co [interesting]",
"Target also owned an online brokerage & lead company, was agent & insurance marketer for years.",
"20.190.160.67 Microsoft [exploit_source]",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"http://www.screensaver.com/ruxitbeacon",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339",
"https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Yara Detections : compromised_site_redirector_fromcharcode",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3",
"South Africa based: remote.advisoroffice.com",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems",
"Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI",
"Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77",
"Researched publicly available information provided by representative of a target\u2019s estate",
"https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing",
"Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
"server-18-161-6-16.hio52.r.cloudfront.net",
"You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.",
"hmmm\u2026http://palander.stjernstrom.se/",
"mastodon.social",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security",
"Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.",
"https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
"https://families.google/intl/pt-PT_ALL/familylink/",
"nexus.b2btest.ertelecom.ru",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
"Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320",
"Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )",
"Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
"Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV",
"Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change",
"Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.",
"[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
"https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
"Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks",
"https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6",
"https://gronthoghor.com/xoe/qbot.zip \u2022",
"Contact Information | The University of British Columbia",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://passwords.google/?utm_medium=hpp&utm",
"https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark",
"https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net",
"IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)",
"Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |",
"http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs",
"Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"192.96.223.11 - sectorlink.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b",
"https://discuss.ai.google.dev/c/gemma/10",
"https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark",
"1.organization.api.powerplatform.partner.microsoftonline.cn",
"IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
"https://www.malwarebytes.com/blog/detections/trojan-floxif",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"1.download.windowsupdate.com [HiddenTear]",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2",
"http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.",
"20.190.160.73 Microsoft [exploit_source]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"M9 W32/Emotet CnC Checkin M3",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8",
"Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net",
"login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link",
"https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
"f.search schema.org t.final",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
"acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"workers.dev [extraction \u2022 GET request attack]",
"https://www.apple.com/qtactivex/qtplugin.cab",
"Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes",
"Query to a *.top domain - Likely Hostile Query for .cc TLD",
"www.ubc.ca",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"152.199.161.19: ANS Communications, Inc (ANS)",
"'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.",
"https://meumundogay-com.sexogratis.page/locker",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Win.Dropper.LokiBot-9975730-0",
"https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420",
"13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion",
"watson.telemetry.microsoft.us [Data traffic manager]",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
"http://remote.edikamin.com/",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"http://Object.prototype.hasOwnProperty.call",
"Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect",
"http://deposito.hostance.net/dialer/",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0",
"tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark",
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"System has placed affected on multiple policies cancelling private policy without notice.",
"http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)",
"FormBook IP: 142.251.211.243",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"remotewd.com x 34 devices",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]",
"https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690",
"Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
"spph.ca",
"Crowdsourced YARA Rulesets",
"www.onyx-ware.com \u2022 https://www.endgamesystems.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"CVE: CVE-2023-23397",
"152.199.171.19 : USDA Fort Collins, Colorado",
"checkip.dyndns.org [command and control]",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad",
"[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
"http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a",
"Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread",
"http://dns1.whitelist.camect.com [interesting]",
"https://twitter.com/PORNO_SEXYBABES",
"Yara Detections PEtite24",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"Unix.Malware.Generic:",
"https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
"ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
"144.76.108.82 [scanning host]",
"Pool Closed",
"Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net",
"Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.",
"Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window",
"acc.lehigtapp.com - malware",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]",
"Target agreed and complied with all lie detector measures.",
"Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022",
"If someone is believed to be a threat they have right to due process.",
"https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27",
"Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"I am very upset. Whoever is doing this is sick.",
"Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)",
"ssa-gov.authorizeddns",
"I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b",
"Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key",
"20.190.160.2 Microsoft [exploit_source]",
"http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]",
"Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"POD 18447 for Cox.xls",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.",
"IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
"Tulach! It's been a minute - 114.114.114.114",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov",
"If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI",
"Mirai: simswap.in",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains",
"https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"Can the DoD no questions asked target a SA victim",
"David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/",
"rmhumanservices.org",
"Researched: https://hcpf.colorado.gov/",
"Virustotal - google.com.uy",
"https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary",
"Yara Detections: osx_GoLang",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"nr-data.net [Apple Private Data Collection]",
"IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"millet-usgc-1.palantirfedstart.com",
"simswap.in (possible Mirai or relationship to)",
"https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"Self whitelisting tool, domains moved within nginx.",
"https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark",
"www.anyxxxtube.net [tracking]",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61",
"https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b",
"Provided documented evidence of appealed state issued plan and disclosed financials.",
"http://micrologin.ogspy.net/track/dhl-information-contact.html",
"http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"ubc.ca",
"Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0",
"'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config",
"Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9",
"September began with false information, defaulted claims , denials from authorized services rendered years prior.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring",
"Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.",
"sex-ukraine.net",
"b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk",
"https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"What's going on here judiciary? Karen - cisa.gov? e.final",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
"https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA",
"Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed",
"https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k",
"https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]",
"Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052",
"A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.",
"ddos.dnsnb8.net [command_and_control]",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"CA-2020-01-12 05-18-26088DE56F-E544B574-D3166097-17FA11BC-45321A6D-v33.zip",
"https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
"Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"chinaeast2.admin.api.powerautomate.cn",
"YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"Alerts: cape_detected_threat cape_extracted_content",
"www.supernetforme.com [command_and_control]",
"https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr",
"Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
"Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"APT 10",
"Blind Eagle"
],
"malware_families": [
"Artro",
"Xpire.info",
"Win.keylogger.banbra-9936388-0",
"Wannacry",
"Sf:agent-dq\\ [trj]",
"Trojandownloader:win32/banload.d",
"#exploit:win32/cve- 2023 - 23397",
"Qbot",
"Hematite",
"Ransomexx",
"Virtool:win32/injector.gen!bq",
"Bancos",
"Win.trojan.emotet-9951800-0",
"Alf:heraklezeval:pua:win32/keygen",
"Trojandropper:win32/hupigon.gen!a",
"Blacknet",
"Bulz",
"Asacky",
"Lizar",
"Trojan:win32/antavmu.d",
"Trojanspy:win32/banker.ly",
"Virtool:win32/autinject.cz!bit",
"#lowfi:hstr:virtool:win32/gendecnryptalgo.s02",
"Win32:evo-gen",
"Sality",
"Alf:program:win32/webcompanion",
"Lolkek",
"Win32:trojanx-gen\\ [trj]",
"Hallrender",
"Tofsee",
"Trojan:win32/startpage.aea",
"Trojan:win32/qbot.r!mtb",
"Onelouder",
"Project nemesis",
"Delphi",
"Malware",
"Installer",
"Ransom:win32/stopcrypt.ak!mtb",
"Win.malware.jaik-9968280-0",
"Formbook",
"Trojan:msil/trojandropper",
"Trojanspy",
"Rokrat",
"Fragtor",
"Andromeda",
"Qakbot",
"Alf:jasyp:trojandownloader:win32/quireap!atmn",
"Worm:win32/mofksys",
"Ymacco",
"Psw.generic13",
"Alf:ransom:win32/babax",
"Banload",
"Quasar",
"Trojandropper:win32/bcryptinject.b!msr",
"Trojanspy:win32/nivdort.cw",
"!#addscopy-tostartup",
"Win.trojan.adinstall-2",
"Alf:trojan:win32/formbook",
"Prynt",
"Win32:dropper",
"Lockbit",
"Virtool:win32/injector",
"Zbot",
"Target saver",
"Makop",
"Trojan.bayrob/lazy",
"Trojan:win32/zombie.a",
"Warzonerat - s0670",
"Emotet",
"Sabey",
"Win.ransomware.bitman-9862733-0",
"Win.trojan.agent-316098",
"Dialer",
"Cve-2023-22518",
"Aws",
"Cobalt strike",
"#lowfienabledtcontinueafterunpacking",
"Win32:bankerx-gen\\ [trj]",
"Malwarex",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Searchmeup",
"Apple",
"Virtool:win32/obfuscator",
"Win32:cleaman-k\\ [trj]",
"Trojandownloader:win32/upatre!rfn",
"Nivdort checkin",
"Unix",
"Hiddentear",
"Trojan:win32/vflooder!rfn",
"Alf:pua:block:iobit",
"Trojan:win32/comisproc!gmb",
"Win.trojan.nanocore-5",
"Win.trojan.tofsee-9770082-1",
"Carbanak",
"Pegasus",
"Unix.malware.generic-9875933-0",
"Domino",
"Trojan:win32/diamin.f",
"Ursnif",
"Trojandownloader:win32/upatre.a",
"Win32:malwarex",
"Backdoor:win32/plugx.n!dha",
"Win.dropper.lokibot-9975730-0",
"Luhe.fiha.a",
"Foundry",
"Apt 10",
"Ryuk ransomware",
"Trojan:win32/qbot",
"Upatre",
"Alf:pulzati:worm:win32/mydoom",
"Trojan:bat/musecador",
"Virtool:win32/ceeinject.akz!bit",
"Pua.optimizerpro/pcoptimizerpro",
"Atros.upk",
"Apnic",
"Trojandropper:win32/vb.il",
"Koobface",
"Hacktool",
"Win32:evo",
"Win32:trojan",
"Tulach",
"Sova",
"Win.malware.installcore-6950365-0",
"Trojandownloader:win32/upatre",
"#lowfimalf_gen",
"Slf:trojan:win32/grandoreiro.a",
"Hallgrand",
"Pdf:urlmal-inf\\ [trj]",
"Win32:dropperx-gen\\ [drp]",
"Malware + code overlap",
"Win32:cabmod\\ [drp]",
"Bayrob",
"Other:malware-gen\\ [trj]",
"Maltiverse"
],
"industries": [
"Technology",
"Financial",
"Telecommunications",
"Media",
"Education",
"Legal",
"Hospitality",
"Ad fraud",
"Healthcare",
"Government",
"Golfing"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69fc1b9d02d8ebe162913b74",
"name": "Credit: OctoSeek -2yrs ago [Zombie.A \u2022 Bayrob in fake malware information website.]",
"description": "",
"modified": "2026-05-07T05:03:23.418000",
"created": "2026-05-07T04:57:01.616000",
"tags": [
"ukraine",
"referrer",
"deploys fake",
"uue files",
"fsociety",
"target colombia",
"judiciary",
"financial",
"public",
"tools",
"sector",
"mexico",
"aka xloader",
"html",
"html info",
"title",
"meta tags",
"google tag",
"utc gnr5gzhd545",
"utc na",
"utc aw944900006",
"utc linkedin",
"formbook",
"accept",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"apache",
"so funny",
"click",
"urls",
"passive dns",
"http",
"unique",
"scan endpoints",
"all octoseek",
"url http",
"ip address",
"related nids",
"code",
"united",
"as54113",
"unknown",
"aaaa",
"as15169 google",
"as46691",
"status",
"cname",
"search",
"whitelisted",
"body",
"date",
"msil",
"meta",
"third-party-cookies",
"iframes",
"external-resources",
"text/html",
"trackers",
"end game",
"name servers",
"select contact",
"domain holder",
"nexus category",
"creation date",
"showing",
"date hash",
"avast avg",
"trojan",
"mtb may",
"dynamicloader",
"high",
"medium",
"yara detections",
"sniffs",
"attempts",
"alternate data",
"stream",
"a foreign",
"cultureneutral",
"get na",
"show",
"delete c",
"entries",
"cape",
"delete",
"default",
"copy",
"nivdort",
"write",
"trojanspy",
"bayrob",
"malware",
"eagle eyed",
"nonads",
"path max",
"age86400 set",
"cookie",
"script urls",
"type",
"script script",
"win32 exe",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"exe32",
"compiler",
"vs98",
"contained",
"simplified",
"info compiler",
"products",
"sp6 build",
"header intel",
"name md5",
"language",
"not found",
"rules not",
"mitre",
"info ids",
"found sigma",
"found",
"files not",
"found network",
"getlasterror",
"icons library",
"os2 executable",
"files",
"file type",
"kb file",
"name",
"type name",
"ip detections",
"country",
"gandi sas",
"dynadot",
"enom",
"namecheap",
"dynadot inc",
"namecheap inc",
"dynadot llc",
"domains",
"tucows domains",
"melbourne it",
"historical ssl",
"realteck audio",
"problems",
"lemon duck",
"iocs",
"sneaky server",
"replacement",
"unauthorized",
"windows",
"windir",
"samplepath",
"user",
"process",
"created",
"shell commands",
"windefend",
"created bus",
"tree",
"registry keys",
"reports upgrade",
"keys set",
"upgradestart",
"dword",
"data registry",
"keys deleted",
"reports",
"get http",
"request",
"http requests",
"ip traffic",
"dns resolutions",
"resolutions",
"mitre att",
"defense evasion",
"ta0007 command",
"control ta0011",
"impact ta0034",
"impact ta0040",
"graph",
"bundled files",
"name file",
"contacted ip",
"users",
"number",
"ascii text",
"crlf line",
"database",
"english",
"tue jun",
"installer",
"template",
"tulach",
"rexxfield",
"milesit",
"cp",
"self deleting",
"stuff",
"copying",
"packages found",
"targeting major",
"injects ads",
"into search",
"results",
"overlay",
"text",
"win32 dll",
"javascript",
"db2maestro",
"open ports",
"ipv4",
"pulse submit",
"url analysis",
"expiration date",
"hostname",
"next",
"ten process",
"utc facebook",
"utc google",
"title ten",
"blog meta",
"tags",
"elastic blog",
"bing ads",
"as8068",
"certificate",
"otx telemetry",
"ref b",
"record value",
"emails",
"please",
"win32",
"x msedge",
"pulse pulses",
"no data",
"tag count",
"analyzer threat",
"url summary",
"ip summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"alexa top",
"safe site",
"mail spammer",
"million",
"malware site",
"phishing site",
"malicious site",
"bank",
"fuery",
"unsafe",
"malicious",
"alexa",
"zbot",
"asn as16625",
"akamai",
"less",
"is2osecurity",
"domain name",
"active",
"as21342",
"domain",
"location israel",
"asn as1680",
"invalid url",
"body html",
"head title",
"title head",
"body h1",
"reference",
"log id",
"gmtn",
"digicert tls",
"rsa sha256",
"tls web",
"full name",
"digicert inc",
"organization",
"district",
"columbia",
"false",
"as20940",
"as16625 akamai",
"as8987 amazon",
"moved",
"as1680 cellcom",
"alerts",
"related pulses",
"guard",
"dynamic",
"reads",
"https link",
"as8075",
"record type",
"ttl value",
"redacted for",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"server",
"email",
"office open",
"ms word",
"document",
"xml document",
"xml spreadsheet",
"email trash",
"rich text",
"pdf tripwire",
"fall",
"whois lookups",
"contact email",
"blind eagle",
"brian sabey"
],
"references": [
"https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png",
"https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690",
"ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc",
"Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
"Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77",
"Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320",
"Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect",
"Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile",
"IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden",
"Alerts: cape_detected_threat cape_extracted_content",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
"TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c",
"Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69",
"Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07",
"Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120",
"Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net",
"Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net",
"https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc",
"trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758",
"Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019",
"Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038",
"Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis",
"Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001",
"Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022",
"Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001",
"Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052",
"Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003",
"Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus",
"Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
"Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
"Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP",
"http://Object.prototype.hasOwnProperty.call",
"Tulach! It's been a minute - 114.114.114.114",
"What's going on here judiciary? Karen - cisa.gov? e.final",
"f.search schema.org t.final",
"ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov",
"[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
"[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov",
"[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml",
"Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window",
"https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net",
"Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV"
],
"public": 1,
"adversary": "Blind Eagle",
"targeted_countries": [
"United States of America",
"Colombia",
"Netherlands",
"Israel"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort.CW",
"display_name": "TrojanSpy:Win32/Nivdort.CW",
"target": "/malware/TrojanSpy:Win32/Nivdort.CW"
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "trojan.bayrob/lazy",
"display_name": "trojan.bayrob/lazy",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0030",
"name": "Defense Evasion",
"display_name": "TA0030 - Defense Evasion"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6683aae863ba601bac1a28b5",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1167,
"FileHash-SHA1": 738,
"FileHash-SHA256": 3074,
"URL": 1019,
"domain": 1640,
"hostname": 973,
"email": 12,
"SSLCertFingerprint": 2,
"URI": 2
},
"indicator_count": 8627,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a9cd444aa144401d0c4988",
"name": "Pools Open",
"description": "",
"modified": "2026-04-15T19:21:28.851000",
"created": "2026-03-05T18:36:52.014000",
"tags": [
"Timothy Pool",
"Christopher Pool",
"Pool's Closed"
],
"references": [
"Pool Closed",
"Pool's Closed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"ad fraud"
],
"TLP": "white",
"cloned_from": "5fa57698ac0f6638b7b9a8ba",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 8098,
"URL": 23428,
"hostname": 9592,
"domain": 4727,
"SSLCertFingerprint": 22,
"FileHash-MD5": 696,
"FileHash-SHA1": 457,
"CIDR": 78,
"email": 3,
"CVE": 2
},
"indicator_count": 47103,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "46 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68db395368d6c4042517f3f3",
"name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!",
"description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.",
"modified": "2025-12-27T15:01:22.545000",
"created": "2025-09-30T01:58:43.592000",
"tags": [
"http traffic",
"match info",
"http get",
"info performs",
"dns query",
"https http",
"mitre att",
"evasion ta0005",
"creates",
"info",
"oc0006 http",
"wininet c0005",
"resolved ips",
"get http",
"html document",
"unicode text",
"dynamicloader",
"fe ff",
"medium",
"x00bx00",
"uswv",
"k uswv",
"search",
"high",
"delete c",
"yara detections",
"redline",
"guard",
"write",
"united",
"present sep",
"aaaa",
"passive dns",
"urls",
"next associated",
"found",
"x content",
"hacktool",
"trojan",
"error",
"lowfi",
"win32",
"worm",
"ip address",
"mtb apr",
"ransom",
"virtool",
"ain add",
"directui",
"element",
"classinfobase",
"ccbase",
"hwndhost",
"yara rule",
"hpavvalue",
"qaejh",
"name servers",
"cryp",
"emails",
"next related",
"domain related",
"no expiration",
"url http",
"url https",
"indicator role",
"hostname",
"email",
"present jun",
"present aug",
"present jul",
"servers",
"title",
"encrypt",
"altsvc h3",
"date tue",
"acceptranges",
"reportto",
"server",
"gmt expires",
"gmt contenttype",
"script",
"expiresthu",
"maxage63072000",
"pragma",
"google safe",
"unknown ns",
"files",
"location united",
"asn as15169",
"trojandropper",
"susp",
"creation date",
"asn as133618",
"tags",
"related tags",
"indicator facts",
"backdoor",
"ipv4 add",
"click",
"artro",
"target saver",
"trojanspy",
"reverse dns",
"america flag",
"443 ma2592000",
"hostname add",
"verdict",
"present mar",
"present jan",
"present dec",
"present apr",
"ipv4",
"type indicator",
"role title",
"related pulses",
"iocs",
"moved",
"downloads",
"apple",
"microsoft",
"hexagonsystem",
"mastadon",
"status",
"twitter",
"gmt content",
"easyredir cache",
"v4 add",
"redacted for",
"privacy tech",
"privacy admin",
"registrar abuse",
"available from",
"algorithm",
"key identifier",
"x509v3 subject",
"entity",
"code",
"date",
"dnssec",
"showing",
"unknown aaaa",
"sha256",
"sha1",
"ascii text",
"ck id",
"show technique",
"ck matrix",
"meta",
"hybrid",
"general",
"local",
"path",
"strings",
"copy md5",
"copy sha1",
"copy sha256",
"certificate"
],
"references": [
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"mastodon.social",
"https://families.google/intl/pt-PT_ALL/familylink/",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"https://discuss.ai.google.dev/c/gemma/10",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"https://m.bigwetbutts.com/ tmi",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Mirai: simswap.in",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"target": null
},
{
"id": "Win.Ransomware.Bitman-9862733-0",
"display_name": "Win.Ransomware.Bitman-9862733-0",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Target Saver",
"display_name": "Target Saver",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Hacktool",
"display_name": "Hacktool",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Media",
"Legal",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2964,
"hostname": 1164,
"URL": 4334,
"domain": 956,
"FileHash-MD5": 476,
"FileHash-SHA1": 451,
"CVE": 1,
"email": 20,
"SSLCertFingerprint": 2
},
"indicator_count": 10368,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 148,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "5fa57698ac0f6638b7b9a8ba",
"name": "Pool's Closed",
"description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.",
"modified": "2025-12-27T05:02:34.910000",
"created": "2020-11-06T16:15:20.139000",
"tags": [
"Timothy Pool",
"Christopher Pool",
"Pool's Closed"
],
"references": [
"Pool Closed",
"Pool's Closed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"ad fraud"
],
"TLP": "white",
"cloned_from": null,
"export_count": 61,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 4,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scnrscnr",
"id": "126475",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 8098,
"URL": 23426,
"hostname": 9590,
"domain": 4727,
"SSLCertFingerprint": 22,
"FileHash-MD5": 696,
"FileHash-SHA1": 457,
"CIDR": 78,
"email": 3,
"CVE": 2
},
"indicator_count": 47099,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 133,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68feb98a8c1b75b4431a3e8e",
"name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?",
"description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.",
"modified": "2025-11-25T20:05:31.749000",
"created": "2025-10-27T00:15:06.191000",
"tags": [
"html internet",
"html document",
"ascii text",
"language",
"cve202323397",
"iframe tags",
"tag manager",
"gtmkvjvztk",
"anchor hrefs",
"info ta0011",
"protocol",
"layer protocol",
"port",
"t1571 encrypted",
"channel",
"t1573 malware",
"tree",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"resolved ips",
"user",
"data",
"datacrashpad",
"edge",
"v full",
"reports v",
"chrome u",
"appdata local",
"googlechrome u",
"u ser",
"cname",
"ip address",
"http",
"accept",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"extraction",
"suggested iocs",
"data upload",
"cry dee",
"stop",
"type",
"url indicator",
"enter",
"failed",
"se share",
"extrac",
"enter so",
"passive dns",
"urls",
"hostname add",
"pulse pulses",
"files",
"domain",
"files ip",
"address",
"location united",
"asn as20473",
"dynamicloader",
"directui",
"write c",
"intel",
"ms windows",
"pe32",
"element",
"delete c",
"document file",
"v2 document",
"explorer",
"trojandropper",
"write",
"markus",
"august",
"movie",
"insert",
"pulse submit",
"url analysis",
"asn as8068",
"united",
"entries",
"body",
"please",
"x msedge",
"ipv4 add",
"present sep",
"present oct",
"present feb",
"status",
"unknown ns",
"search",
"name servers",
"present jul",
"aaaa",
"present apr",
"trojan",
"medium",
"high",
"yara rule",
"globalc",
"june",
"malware",
"win64",
"unknown",
"america flag",
"twitter",
"hostname",
"domain add",
"reverse dns",
"america asn",
"present aug",
"a domains",
"moved",
"first pqc",
"unknown aaaa",
"title",
"meta",
"window",
"encrypt",
"pulse indicator",
"body doctype",
"welcome",
"ok server",
"gmt content",
"atlanta",
"abuse",
"agent",
"service",
"present jun",
"present may",
"creation date",
"record value",
"servers",
"libretv meta",
"certificate",
"value",
"whois lookup",
"loopia ab",
"userlolxxl"
],
"references": [
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
},
{
"id": "Foundry",
"display_name": "Foundry",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb",
"display_name": "Trojan:Win32/Comisproc!gmb",
"target": "/malware/Trojan:Win32/Comisproc!gmb"
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "#Exploit:Win32/CVE- 2023 - 23397",
"display_name": "#Exploit:Win32/CVE- 2023 - 23397",
"target": "/malware/#Exploit:Win32/CVE- 2023 - 23397"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "ALF:PulZati:Worm:Win32/Mydoom",
"display_name": "ALF:PulZati:Worm:Win32/Mydoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 8,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 248,
"FileHash-SHA1": 134,
"FileHash-SHA256": 2661,
"URL": 6257,
"domain": 682,
"email": 8,
"hostname": 2077,
"CVE": 1
},
"indicator_count": 12068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "187 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68fd0cc422cea2fd989581fd",
"name": "LevelBlue - Open Threat Exchange (Malicious Attacks)",
"description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.",
"modified": "2025-11-24T17:02:12.441000",
"created": "2025-10-25T17:45:40.291000",
"tags": [
"ipv4",
"levelblue",
"open threat",
"date sat",
"connection",
"etag w",
"cloudfront",
"sameorigin age",
"vary",
"ip address",
"kb body",
"gtmkvjvztk",
"utc gcfezl5ynvb",
"utc na",
"utc google",
"analytics na",
"utc linkedin",
"insight tag",
"learn",
"exchange og",
"levelblue open",
"threat exchange",
"exchange",
"google tag",
"iocs",
"search otx",
"included iocs",
"review iocs",
"data upload",
"extraction",
"layer protocol",
"v full",
"reports v",
"port t1571",
"t1573",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"user",
"data",
"datacrashpad",
"edge",
"tag manager",
"us er",
"help files",
"shell",
"html",
"cve202323397",
"iframe tags",
"community score",
"url http",
"url https",
"united",
"united kingdom",
"netherlands",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"indicator role",
"title added",
"active related",
"otc oct",
"report spam",
"week ago",
"scan",
"learn more",
"filehashmd5",
"filehashsha1",
"domain",
"australia",
"does",
"josh",
"created",
"filehashsha256",
"present jul",
"present oct",
"date",
"a domains",
"script urls",
"for privacy",
"moved",
"script domains",
"meta",
"title",
"body",
"pragma",
"encrypt",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1027",
"files",
"information",
"t1055",
"injection",
"capture",
"south korea",
"malaysia",
"pulses",
"fatal error",
"hacker known",
"name",
"unknown",
"risk",
"weeks ago",
"scary",
"sova",
"colorado",
"wire",
"name unknown",
"thursday",
"denver",
"types of",
"indicators hong",
"kong",
"tsara brashears",
"african",
"ethiopia",
"b8reactjs",
"india",
"america",
"x ua",
"hostname",
"dicator role",
"pulses url",
"airplane",
"icator role",
"t1432",
"access contact",
"list",
"t1525",
"image",
"security scan",
"heuristic oct",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1114",
"t1480",
"internal image",
"brian sabey",
"month ago",
"modified",
"days ago",
"green well",
"sabey stash",
"service",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Sova",
"display_name": "Sova",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 956,
"FileHash-SHA1": 906,
"FileHash-SHA256": 2651,
"URL": 4450,
"domain": 708,
"hostname": 2403,
"CVE": 1,
"email": 5
},
"indicator_count": 12080,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68dff573cf17000ebca4e63f",
"name": "The University of British Columbia",
"description": "https://www.virustotal.com/gui/domain/ubc.ca\nhttps://www.virustotal.com/gui/file/2849292fde24ca7833a3fcde7852e6e76df178ea271e271d2d2b551c10033a09/details",
"modified": "2025-11-02T15:02:38.292000",
"created": "2025-10-03T16:10:27.760000",
"tags": [
"university",
"research",
"strong",
"ubc search",
"teaching",
"okanagan",
"bc canada",
"contact",
"skip",
"search ubc",
"find",
"back",
"user",
"cape sandbox",
"medium",
"http",
"matches rule",
"tls sni",
"memory pattern",
"size",
"date",
"info",
"shell",
"vhash",
"ssdeep",
"jjwad5 tlsh"
],
"references": [
"Contact Information | The University of British Columbia",
"spph.ca",
"www.ubc.ca",
"ubc.ca",
"CA-2020-01-12 05-18-26088DE56F-E544B574-D3166097-17FA11BC-45321A6D-v33.zip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 29,
"FileHash-SHA256": 742,
"FileHash-MD5": 89,
"FileHash-SHA1": 42,
"URL": 243,
"hostname": 98
},
"indicator_count": 1243,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 125,
"modified_text": "210 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "binginternal.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "binginternal.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1780262097.9649463
}