{
"type": "Domain",
"indicator": "cdn-webcloud.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/cdn-webcloud.com",
"alexa": "http://www.alexa.com/siteinfo/cdn-webcloud.com",
"indicator": "cdn-webcloud.com",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 3592197548,
"indicator": "cdn-webcloud.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 26,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68451577ada8bb0aa0834edb",
"name": "X - Business Social Media Account used to attack victim",
"description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.",
"modified": "2025-07-08T04:03:04.386000",
"created": "2025-06-08T04:45:43.423000",
"tags": [
"trojan",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"upxoepplace",
"pulses none",
"related tags",
"none file",
"markus",
"april",
"win32",
"copy",
"usvwu",
"usvw",
"high",
"medium",
"show",
"uss c",
"binary file",
"yara",
"write",
"delphi",
"enigma",
"present mar",
"aaaa",
"united",
"passive dns",
"date",
"present nov",
"moved",
"urls",
"creation date",
"entries",
"body",
"trojandropper",
"susp",
"msr jul",
"next associated",
"pulse pulses",
"mtb jun",
"backdoor",
"content length",
"html document",
"ascii text",
"search",
"internalname",
"entries pe",
"showing",
"filehash",
"md5 add",
"av detections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"size",
"encrypt",
"june",
"hybrid",
"local",
"path",
"click",
"twitter",
"strings",
"url https",
"url http",
"report spam",
"created",
"hours ago",
"bad actor",
"ck ids",
"t1057",
"discovery",
"t1071",
"amer",
"ipv4",
"indicator role",
"title added",
"active related",
"pulses",
"china",
"hong kong",
"russia",
"type indicator",
"role title",
"added active",
"related pulses",
"pulses url",
"filehashsha256",
"url add",
"http",
"ip address",
"related nids",
"files location",
"flag united",
"domain",
"hostname",
"next",
"filehashmd5",
"protocol",
"t1105",
"tool transfer",
"t1480"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 637,
"FileHash-SHA1": 639,
"FileHash-SHA256": 5380,
"domain": 676,
"hostname": 1120,
"URL": 1031,
"SSLCertFingerprint": 4
},
"indicator_count": 9487,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "285 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66f1accda30d94af7e846357",
"name": "Zendesk as VirusTotal \u00bb Ransom:Win32/CVE",
"description": "*https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088 |||\n\n*In this situation a target received a VirusTotal / Zendesk drive by pop up message that site was unauthorized , fraud risk. The link has it all! Downloaders, install core, browser bar malware, ransomware, python script. Heavy attack. Desires deletion of device , accounts and contents.\n |||\nALF:HeraklezEval:Ransom:Win32/CVE , \nALF:Trojan:Win32/Cassini_6d4ebdc9 ,\nBackdoor:Win32/Zegost ,\nCVE-2023-22518 ,\nCVE-2023-4966 ,\nFakeAV.FOR ,\nMalware:AddsCopyToStartup ,\nNinite ,\nNoobyProtect ,\nTEL:Trojan:Win64/GoCLR ,\nTELPER:HSTR:CLEAN:Ninite ,\nTrojan:Win32/Cobaltstrike ,\nTrojan:Win32/Dridex ,\nTrojan:Win32/Fanop ,\nTrojan:Win32/Neconyd ,\nTrojan:Win32/Startpage ,\nTrojan:Win32/Zombie ,\nVirTool:Win32/Injector.gen!BQ ,\nVirTool:Win32/Obfuscator ,\nWin.Trojan.Generic-9935365-0 ,\nWorm:Win32/Autorun",
"modified": "2024-10-23T17:03:27.463000",
"created": "2024-09-23T18:00:45.146000",
"tags": [
"as396982 google",
"setup",
"passive dns",
"unknown",
"ninite sep",
"a td",
"443 ma2592000",
"accept",
"gmt cache",
"trojan",
"status",
"name servers",
"urls",
"creation date",
"search",
"emails",
"servers",
"as15169 google",
"aaaa",
"cname",
"virtool",
"cryp",
"as19527 google",
"win32",
"related pulses",
"file samples",
"files matching",
"date hash",
"trojan features",
"entries",
"search otx",
"telper",
"worm",
"copyright",
"levelblue",
"files domain",
"files related",
"pulses none",
"accept accept",
"as16625 akamai",
"as20940",
"asnone united",
"nxdomain",
"expiration date",
"as21342",
"as132147",
"china",
"as9808 china",
"body",
"all scoreblue",
"backdoor",
"alf features",
"all search",
"domain",
"as15133 verizon",
"as16552 tiggee",
"url https",
"http",
"hostname",
"ninite",
"united states",
"scan endpoints",
"show",
"showing",
"next",
"united",
"as54113",
"github pages",
"formbook cnc",
"checkin",
"mtb aug",
"a domains",
"class",
"twitter",
"certificate",
"record value",
"pulse pulses",
"overview ip",
"address",
"related nids",
"files location",
"div div",
"github",
"meta",
"homepage",
"form",
"as36459",
"g2 tls",
"rsa sha256",
"as29791",
"dynamicloader",
"medium",
"yara detections",
"dynamic",
"filehash",
"sha256",
"february",
"copy",
"otx telemetry",
"related tags",
"a li",
"span p",
"dj ai",
"dongjun jeong",
"a h2",
"writeups",
"infosec journey",
"script urls",
"netherlands",
"a nxdomain",
"aaaa nxdomain",
"cloudfront",
"trojandropper",
"china unknown",
"msie",
"chrome",
"ipv4",
"noobyprotect",
"files",
"peeringdb",
"sign",
"github copilot",
"view",
"notifications",
"branches tags",
"code issues",
"pull",
"write",
"star",
"code",
"stars",
"python",
"shell",
"footer",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"as62597 nsone",
"dnssec",
"win32mydoom sep",
"windows nt",
"wow64",
"khtml",
"gecko",
"query",
"jpn write",
"e0e8e",
"observed dns",
"expiro",
"defender",
"malware",
"possible",
"suspicious",
"activity dns",
"mtb may",
"sameorigin",
"domain name",
"error",
"moved",
"server",
"mtb sep",
"win32cve sep",
"cloud provider",
"reverse dns",
"america asn",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"pulses",
"default",
"yara rule",
"high",
"cnc checkin",
"cape",
"powershell",
"vmprotect",
"local",
"agent",
"domainabuse",
"su liao",
"zhi pin",
"application",
"expiro malware",
"anomalous file",
"june",
"fakedout threat",
"analyzer paste",
"iocs",
"samples",
"exploit",
"germany unknown",
"as14636",
"russia unknown",
"as9123 timeweb",
"as45102 alibaba",
"as43830",
"read c",
"write c",
"process32nextw",
"regsetvalueexa",
"regdword",
"installcore",
"format",
"delphi",
"stack",
"downloader",
"urls http",
"delete c",
"tls handshake",
"number",
"failure",
"delete",
"ids detections",
"fadok",
"template",
"slcc2",
"media center",
"contacted",
"ollydbg",
"internal",
"simda",
"brian sabey",
"going dark",
"stop",
"as14061",
"hostnames",
"as48287 jsc",
"as50340",
"czechia unknown",
"date"
],
"references": [
"https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088",
"GitHub - peeringdb/peeringdb-py: PeeringDB python client",
"00-skillsetparadesarrollo.zendesk.com",
"https://github.com/peeringdb/peeringdb-py",
"From the lovely Cyber Folks .PL Cover"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Poland",
"Australia",
"Austria",
"Canada",
"Netherlands",
"China"
],
"malware_families": [
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2023-4966",
"display_name": "CVE-2023-4966",
"target": null
},
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "TELPER:HSTR:CLEAN:Ninite",
"display_name": "TELPER:HSTR:CLEAN:Ninite",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Trojan:Win32/Dridex",
"display_name": "Trojan:Win32/Dridex",
"target": "/malware/Trojan:Win32/Dridex"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Malware:AddsCopyToStartup",
"display_name": "Malware:AddsCopyToStartup",
"target": null
},
{
"id": "Trojan:Win32/Cobaltstrike",
"display_name": "Trojan:Win32/Cobaltstrike",
"target": "/malware/Trojan:Win32/Cobaltstrike"
},
{
"id": "ALF:Trojan:Win32/Cassini_6d4ebdc9",
"display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9",
"target": null
},
{
"id": "Trojan:Win32/Startpage",
"display_name": "Trojan:Win32/Startpage",
"target": "/malware/Trojan:Win32/Startpage"
},
{
"id": "Backdoor:Win32/Zegost",
"display_name": "Backdoor:Win32/Zegost",
"target": "/malware/Backdoor:Win32/Zegost"
},
{
"id": "Trojan:Win32/Fanop",
"display_name": "Trojan:Win32/Fanop",
"target": "/malware/Trojan:Win32/Fanop"
},
{
"id": "Trojan:Win32/Neconyd",
"display_name": "Trojan:Win32/Neconyd",
"target": "/malware/Trojan:Win32/Neconyd"
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
},
{
"id": "Win.Trojan.Generic-9935365-0",
"display_name": "Win.Trojan.Generic-9935365-0",
"target": null
},
{
"id": "Ninite",
"display_name": "Ninite",
"target": null
},
{
"id": "NoobyProtect",
"display_name": "NoobyProtect",
"target": null
},
{
"id": "TEL:Trojan:Win64/GoCLR",
"display_name": "TEL:Trojan:Win64/GoCLR",
"target": null
},
{
"id": "ALF:HeraklezEval:Ransom:Win32/CVE",
"display_name": "ALF:HeraklezEval:Ransom:Win32/CVE",
"target": null
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
}
],
"attack_ids": [
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4891,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2436,
"CVE": 3,
"FileHash-MD5": 2510,
"FileHash-SHA1": 2063,
"FileHash-SHA256": 4054,
"hostname": 1788,
"URL": 1228,
"email": 16
},
"indicator_count": 14098,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 239,
"modified_text": "543 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb4772c3d3ad1f7accc98a",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:53.179000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb476d935dd560b4a3e938",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.380000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb476d0566c2d07e474df5",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.140000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb4768b06f4da2fba5959b",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:44.270000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659560d63178b32f07838efb",
"name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|",
"description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering, spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.",
"modified": "2024-02-02T12:04:41.638000",
"created": "2024-01-03T13:27:50.685000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"unsafeeval",
"path",
"expiressat",
"auto",
"wheels online",
"o tires",
"shop tires",
"html info",
"title shop",
"tires",
"meta tags",
"big o",
"tires language",
"name verdict",
"falcon sandbox",
"samples",
"localappdata",
"json data",
"temp",
"getprocaddress",
"ascii text",
"windir",
"file",
"indicator",
"mitre att",
"ck id",
"factory",
"hybrid",
"model",
"comspec",
"ssl certificate",
"whois record",
"execution",
"contacted",
"historical ssl",
"whois whois",
"simda http",
"collections",
"historical",
"dropped",
"backdoor",
"unknown",
"united",
"asnone",
"show",
"entries",
"search",
"intel",
"ms windows",
"pe32",
"windows nt",
"copy",
"write",
"logic",
"download",
"malware",
"suspicious",
"next",
"destination",
"port",
"components",
"globalnpf",
"china as23724",
"music",
"data c",
"mexico",
"as15169 google",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"win32",
"united kingdom",
"explorer",
"xserver",
"mtb aug",
"location united",
"america asn",
"open",
"trojan",
"worm",
"dataadobereader",
"as397240",
"msie",
"etpro trojan",
"virgin islands",
"script urls",
"creation date",
"record value",
"date",
"a domains",
"all search",
"otx octoseek",
"url http",
"http",
"related nids",
"pulse http",
"url https",
"files location",
"as20940",
"aaaa",
"as2914 ntt",
"canada unknown",
"japan unknown",
"as16625 akamai",
"domain",
"hostname",
"gmt content",
"gmt report",
"0 report",
"sea alt",
"body",
"encrypt",
"social engineering",
"revenge rat",
"rat",
"identity theft",
"credit card",
"referrer",
"communicating",
"bundled",
"family",
"roots",
"lolkek",
"tzw variants",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"ransomware",
"cobalt strike",
"attack",
"core",
"emotet",
"exploit",
"hacktool",
"mail spammer",
"as63949 linode",
"mtb dec",
"checkin m1",
"trojanspy",
"artro",
"remote",
"infostealer"
],
"references": [
"https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Ukraine",
"Georgia",
"India",
"Hong Kong",
"Canada",
"China",
"Indonesia",
"South Africa",
"Germany",
"Slovenia",
"Mexico",
"Netherlands",
"Japan",
"Spain",
"Argentina",
"France",
"Chile",
"Italy",
"Aruba",
"Switzerland",
"United Kingdom of Great Britain and Northern Ireland",
"Denmark",
"Poland",
"Colombia",
"Taiwan",
"Bulgaria",
"Austria",
"Russian Federation",
"Australia",
"Philippines",
"Norway",
"Sweden"
],
"malware_families": [
{
"id": "Trojan:Win32/Comspec",
"display_name": "Trojan:Win32/Comspec",
"target": "/malware/Trojan:Win32/Comspec"
},
{
"id": "#Lowfi:SCPT:KiraAsciiObfuscator",
"display_name": "#Lowfi:SCPT:KiraAsciiObfuscator",
"target": null
},
{
"id": "Backdoor:Win32/Simda",
"display_name": "Backdoor:Win32/Simda",
"target": "/malware/Backdoor:Win32/Simda"
},
{
"id": "Crypt3.BLXP",
"display_name": "Crypt3.BLXP",
"target": null
},
{
"id": "PWS:Win32/VB.CU",
"display_name": "PWS:Win32/VB.CU",
"target": "/malware/PWS:Win32/VB.CU"
},
{
"id": "Trojan:MSIL/ClipBanker.GB!MTB",
"display_name": "Trojan:MSIL/ClipBanker.GB!MTB",
"target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Win.Packed.Zusy-7170176-0",
"display_name": "Win.Packed.Zusy-7170176-0",
"target": null
},
{
"id": "Win.Trojan.Zbot-9880005-0",
"display_name": "Win.Trojan.Zbot-9880005-0",
"target": null
},
{
"id": "'Win32:Trojan-gen",
"display_name": "'Win32:Trojan-gen",
"target": null
},
{
"id": "TEL:TrojanDownloader:O97M/MsiexecAbuse",
"display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse",
"target": null
},
{
"id": "Worm:Win32/Mofksys.B",
"display_name": "Worm:Win32/Mofksys.B",
"target": "/malware/Worm:Win32/Mofksys.B"
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Worm:LOGO/Logic",
"display_name": "Worm:LOGO/Logic",
"target": "/malware/Worm:LOGO/Logic"
},
{
"id": "ETPro Trojan",
"display_name": "ETPro Trojan",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "TrojanSpy:Win32/Swisyn",
"display_name": "TrojanSpy:Win32/Swisyn",
"target": "/malware/TrojanSpy:Win32/Swisyn"
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [
"Telecommunications"
],
"TLP": "green",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 560,
"FileHash-SHA1": 350,
"FileHash-SHA256": 4371,
"URL": 8165,
"domain": 2548,
"hostname": 2813,
"CVE": 4,
"email": 3
},
"indicator_count": 18814,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "807 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "655dafbe9ac9ac786fde45ad",
"name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking",
"description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]",
"modified": "2023-12-22T06:03:01.993000",
"created": "2023-11-22T07:37:34.595000",
"tags": [
"united",
"as22612",
"as2637",
"creation date",
"search",
"moved",
"expiration date",
"date",
"showing",
"as397240",
"next",
"entries",
"scan endpoints",
"all octoseek",
"dns replication",
"win32 exe",
"network capture",
"android",
"android adaway",
"html",
"files",
"detections type",
"name",
"office open",
"xml document",
"namecheap",
"namecheap inc",
"whois lookups",
"win32 dll",
"text",
"wextract",
"text htaccess",
"powershell",
"detection list",
"blacklist",
"first",
"ssl certificate",
"whois record",
"contacted",
"december",
"whois whois",
"threat roundup",
"historical ssl",
"problems",
"referrer",
"pe resource",
"startpage",
"cyber threat",
"redline stealer",
"mail spammer",
"hostname",
"phishing site",
"malicious site",
"installcore",
"http spammer",
"malware site",
"malware",
"generic malware",
"heur",
"generic",
"alexa top",
"million",
"site",
"cisco umbrella",
"alexa",
"ip address",
"algorithm",
"data",
"v3 serial",
"number",
"cat cnzerossl",
"ecc domain",
"secure site",
"ca ozerossl",
"validity",
"subject public",
"server",
"email",
"code",
"registrar abuse",
"country",
"privacy service",
"withheld",
"privacy",
"domain name",
"pattern match",
"ascii text",
"appdata",
"file",
"windows nt",
"svg scalable",
"vector graphics",
"indicator",
"gif image",
"accept",
"hybrid",
"general",
"local",
"pixel",
"click",
"twitter",
"strings",
"class",
"generator",
"critical",
"command_and_control",
"spyware",
"tracking",
"voicemail access",
"dga",
"apple"
],
"references": [
"https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e",
"\u2193Interesting\u2193",
"IPv4 198.54.117.211 command_and_control",
"IPv4 198.54.117.210 command_and_control",
"IPv4 198.54.117.212 command_and_control",
"IPv4 198.54.117.215 command_and_control",
"IPv4 198.54.117.217 command_and_control",
"IPv4 198.54.117.218 command_and_control",
"apple-securityiphone-icloud.com",
"tx-p2p-pull.video-voip.com.dorm.com",
"http://updates.voicemailaccess.net/b0f6a00b15311023",
"tvapp-server.de",
"zeustracker.abuse.ch",
"ransomwaretracker.abuse.ch",
"http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid",
"louisianarooflawyers.com [phishing]",
"hasownproperty.call"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 51,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 105,
"FileHash-SHA1": 100,
"FileHash-SHA256": 3072,
"domain": 1188,
"email": 5,
"URL": 7940,
"hostname": 1925,
"CVE": 1
},
"indicator_count": 14336,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "849 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a8bf416a1c314819ea53",
"name": "Remote Access Related | APK attack targets independent artists",
"description": "",
"modified": "2023-12-06T17:00:47.888000",
"created": "2023-12-06T17:00:47.888000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 5,
"FileHash-SHA256": 2385,
"hostname": 1054,
"domain": 713,
"URL": 3595,
"FileHash-MD5": 1104,
"FileHash-SHA1": 585,
"FilePath": 1
},
"indicator_count": 9442,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709c66212cb7d161243667",
"name": "InQuest - 10-06-2023",
"description": "",
"modified": "2023-12-06T16:08:06.663000",
"created": "2023-12-06T16:08:06.663000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1697,
"hostname": 325,
"FileHash-SHA256": 483,
"domain": 700,
"FileHash-MD5": 475,
"FileHash-SHA1": 23
},
"indicator_count": 3703,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709c61923e63397d724a43",
"name": "InQuest - 09-06-2023",
"description": "",
"modified": "2023-12-06T16:08:01.857000",
"created": "2023-12-06T16:08:01.857000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 646,
"URL": 1514,
"FileHash-SHA256": 1056,
"hostname": 214,
"FileHash-MD5": 519,
"FileHash-SHA1": 29
},
"indicator_count": 3978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709c571c9c316a625073ca",
"name": "InQuest - 08-06-2023",
"description": "",
"modified": "2023-12-06T16:07:51.761000",
"created": "2023-12-06T16:07:51.761000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 614,
"URL": 1499,
"FileHash-SHA256": 1096,
"hostname": 194,
"FileHash-MD5": 525,
"FileHash-SHA1": 30
},
"indicator_count": 3958,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709c42bdd32cb4b343a12d",
"name": "InQuest - 07-06-2023",
"description": "",
"modified": "2023-12-06T16:07:30.911000",
"created": "2023-12-06T16:07:30.911000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 597,
"URL": 1478,
"FileHash-SHA256": 1085,
"hostname": 194,
"FileHash-MD5": 585,
"FileHash-SHA1": 30
},
"indicator_count": 3969,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709c38b077f9845318a1bd",
"name": "InQuest - 06-06-2023",
"description": "",
"modified": "2023-12-06T16:07:20.769000",
"created": "2023-12-06T16:07:20.769000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 588,
"URL": 1333,
"FileHash-SHA256": 1033,
"hostname": 194,
"FileHash-MD5": 650,
"FileHash-SHA1": 20
},
"indicator_count": 3818,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709c28940b00211baa2ab1",
"name": "InQuest - 05-06-2023",
"description": "",
"modified": "2023-12-06T16:07:04.724000",
"created": "2023-12-06T16:07:04.724000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 586,
"URL": 1326,
"FileHash-SHA256": 1010,
"hostname": 194,
"FileHash-MD5": 649,
"FileHash-SHA1": 20
},
"indicator_count": 3785,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "653f1d23d050527b7aa07cfd",
"name": "Remote Access Related | APK attack targets independent artists",
"description": "",
"modified": "2023-11-12T07:01:14.580000",
"created": "2023-10-30T03:04:03.323000",
"tags": [
"alexa top",
"blacklist",
"phishing",
"million",
"site",
"cisco umbrella",
"path",
"maxage31536000",
"expiressat",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"pragma",
"html info",
"title kedence",
"official apk",
"meta tags",
"apk download",
"android",
"google tag",
"utc google",
"utc na",
"whois record",
"contacted",
"ssl certificate",
"communicating",
"referrer",
"historical ssl",
"bundled",
"resolutions",
"contacted urls",
"hackers install",
"malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"united",
"phishing site",
"malware site",
"malicious site",
"heur",
"anonymizer",
"malicious host",
"crack",
"maltiverse",
"driverpack",
"ransomware",
"opencandy",
"artemis",
"riskware",
"installcore",
"suppobox",
"bank",
"agent",
"patcher",
"generic",
"t",
"safe site",
"iframe",
"downldr",
"presenoker",
"exploit",
"genkryptik",
"dropper",
"fakealert",
"quasar rat",
"xtrat",
"softcnapp",
"cleaner",
"xrat",
"applicunwnt",
"mimikatz",
"team",
"azorult",
"service",
"runescape",
"facebook",
"download",
"logo analysis",
"size81b type",
"mime",
"scan10132023",
"results",
"multi scan",
"analysis",
"update",
"view details",
"na visit",
"sansx22",
"3px 3px",
"indicator",
"file",
"general",
"email address",
"pattern match",
"ck id",
"t1114",
"show technique",
"mitre att",
"ck matrix",
"script",
"antivirus",
"svg scalable",
"vector graphics",
"span",
"twitter",
"hybrid",
"ascii text",
"appdata",
"windows nt",
"png image",
"jpeg image",
"jfif",
"date",
"flag",
"markmonitor",
"name server",
"server",
"enom",
"whois privacy",
"cloudflare",
"domain address",
"show",
"osint",
"f8f9fa",
"eeeeee",
"click",
"unknown",
"open",
"error",
"body",
"hosts",
"strings",
"class",
"critical",
"meta",
"scroll",
"atom"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "T",
"display_name": "T",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6528fa2179cc1554d7f434c6",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 713,
"FileHash-MD5": 1104,
"FileHash-SHA1": 585,
"FileHash-SHA256": 2385,
"hostname": 1054,
"URL": 3596,
"CVE": 5,
"FilePath": 1
},
"indicator_count": 9443,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "889 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6528fa2179cc1554d7f434c6",
"name": "Remote Access Related | APK attack targets independent artists",
"description": "Suppression, malware,\nPassword,Exploit/Shellcode *Defacement *Unsafe.AI_Score_ * FileRepMetagen [PUP]\nrevenge-rat,stealer,, Steganos Software GmbH Privacy Suite, Ransom_WannaCrypt.R002C0DJO20,\nWacatac.B, Trojan.HideLink, SuppoBox,Trojan.Downloader.Generic, TrojWare.JS.Obfuscated, Phish.HHH, Phishing_Netflix.EVT, Phishing.Microsoft,Trojan.AvsHepter, HTML:PhishingBank, Phishing.fz, Probably, Heur.HTMLUnescapeF, BehavesLike.HTML.SMSSendPhishing.S23, Gen:Variant.Zbot, BehavesLike.HTML.Faceliker",
"modified": "2023-11-12T07:01:14.580000",
"created": "2023-10-13T08:04:49.722000",
"tags": [
"alexa top",
"blacklist",
"phishing",
"million",
"site",
"cisco umbrella",
"path",
"maxage31536000",
"expiressat",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"pragma",
"html info",
"title kedence",
"official apk",
"meta tags",
"apk download",
"android",
"google tag",
"utc google",
"utc na",
"whois record",
"contacted",
"ssl certificate",
"communicating",
"referrer",
"historical ssl",
"bundled",
"resolutions",
"contacted urls",
"hackers install",
"malware",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"united",
"phishing site",
"malware site",
"malicious site",
"heur",
"anonymizer",
"malicious host",
"crack",
"maltiverse",
"driverpack",
"ransomware",
"opencandy",
"artemis",
"riskware",
"installcore",
"suppobox",
"bank",
"agent",
"patcher",
"generic",
"t",
"safe site",
"iframe",
"downldr",
"presenoker",
"exploit",
"genkryptik",
"dropper",
"fakealert",
"quasar rat",
"xtrat",
"softcnapp",
"cleaner",
"xrat",
"applicunwnt",
"mimikatz",
"team",
"azorult",
"service",
"runescape",
"facebook",
"download",
"logo analysis",
"size81b type",
"mime",
"scan10132023",
"results",
"multi scan",
"analysis",
"update",
"view details",
"na visit",
"sansx22",
"3px 3px",
"indicator",
"file",
"general",
"email address",
"pattern match",
"ck id",
"t1114",
"show technique",
"mitre att",
"ck matrix",
"script",
"antivirus",
"svg scalable",
"vector graphics",
"span",
"twitter",
"hybrid",
"ascii text",
"appdata",
"windows nt",
"png image",
"jpeg image",
"jfif",
"date",
"flag",
"markmonitor",
"name server",
"server",
"enom",
"whois privacy",
"cloudflare",
"domain address",
"show",
"osint",
"f8f9fa",
"eeeeee",
"click",
"unknown",
"open",
"error",
"body",
"hosts",
"strings",
"class",
"critical",
"meta",
"scroll",
"atom"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "T",
"display_name": "T",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 713,
"FileHash-MD5": 1104,
"FileHash-SHA1": 585,
"FileHash-SHA256": 2385,
"hostname": 1054,
"URL": 3596,
"CVE": 5,
"FilePath": 1
},
"indicator_count": 9443,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "889 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64850757a71d2bb05c54c48f",
"name": "InQuest - 10-06-2023",
"description": "",
"modified": "2023-07-10T23:02:21.895000",
"created": "2023-06-10T23:29:27.717000",
"tags": [],
"references": [
"https://labs.inquest.net/iocdb"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "CyberHunterAutoFeed",
"id": "182496",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 483,
"domain": 700,
"URL": 1697,
"hostname": 325,
"FileHash-SHA1": 23,
"FileHash-MD5": 475
},
"indicator_count": 3703,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 1601,
"modified_text": "1014 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6483b5854450eca17552f24a",
"name": "InQuest - 09-06-2023",
"description": "",
"modified": "2023-07-09T23:00:21.077000",
"created": "2023-06-09T23:28:05.492000",
"tags": [],
"references": [
"https://labs.inquest.net/iocdb"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "CyberHunterAutoFeed",
"id": "182496",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 214,
"URL": 1514,
"FileHash-SHA256": 1056,
"domain": 646,
"FileHash-MD5": 519,
"FileHash-SHA1": 29
},
"indicator_count": 3978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 1600,
"modified_text": "1015 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64826497cd9780401dde83b3",
"name": "InQuest - 08-06-2023",
"description": "",
"modified": "2023-07-08T23:01:23.198000",
"created": "2023-06-08T23:30:31.791000",
"tags": [],
"references": [
"https://labs.inquest.net/iocdb"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "CyberHunterAutoFeed",
"id": "182496",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1096,
"FileHash-MD5": 525,
"domain": 614,
"URL": 1499,
"FileHash-SHA1": 30,
"hostname": 194
},
"indicator_count": 3958,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 1600,
"modified_text": "1016 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "648112edcfcb068623d87aed",
"name": "InQuest - 07-06-2023",
"description": "",
"modified": "2023-07-07T23:04:34.817000",
"created": "2023-06-07T23:29:49.971000",
"tags": [],
"references": [
"https://labs.inquest.net/iocdb"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "CyberHunterAutoFeed",
"id": "182496",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1085,
"URL": 1478,
"FileHash-MD5": 585,
"domain": 597,
"FileHash-SHA1": 30,
"hostname": 194
},
"indicator_count": 3969,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 1601,
"modified_text": "1017 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "647fc1c92caa8d8fd54789a0",
"name": "InQuest - 06-06-2023",
"description": "",
"modified": "2023-07-06T23:01:44.388000",
"created": "2023-06-06T23:31:21.479000",
"tags": [],
"references": [
"https://labs.inquest.net/iocdb"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "CyberHunterAutoFeed",
"id": "182496",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1033,
"URL": 1333,
"hostname": 194,
"domain": 588,
"FileHash-MD5": 650,
"FileHash-SHA1": 20
},
"indicator_count": 3818,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 1601,
"modified_text": "1018 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "647e6ffec9fbf73e24567f76",
"name": "InQuest - 05-06-2023",
"description": "",
"modified": "2023-07-05T23:03:35.121000",
"created": "2023-06-05T23:30:06.468000",
"tags": [],
"references": [
"https://labs.inquest.net/iocdb"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "CyberHunterAutoFeed",
"id": "182496",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1010,
"URL": 1326,
"hostname": 194,
"domain": 586,
"FileHash-MD5": 649,
"FileHash-SHA1": 20
},
"indicator_count": 3785,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 1601,
"modified_text": "1019 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "637d0be48367345b336e92cd",
"name": "Black Friday Alret : 4 Emerging Skimming Attacks | Zscaler",
"description": "Zscaler is the world\u2019s largest security platform built for the cloud and provides solutions that protect users, businesses and users with zero trust connectivity and secure access to cloud apps, services and services.",
"modified": "2022-12-22T17:01:45.386000",
"created": "2022-11-22T17:50:28.486000",
"tags": [
"rest api",
"skimming",
"black friday",
"ecommerce attacks",
"threatlabz",
"group",
"magento",
"virustotal",
"html dom",
"http post",
"july",
"canada",
"cc skimmer",
"presta shop",
"australia",
"august",
"code"
],
"references": [
"https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada",
"Australia"
],
"malware_families": [
{
"id": "REST API",
"display_name": "REST API",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
}
],
"industries": [
"E-Commerce"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "mohammedkaif_98",
"id": "214759",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-MD5": 1,
"URL": 13,
"domain": 25
},
"indicator_count": 41,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "1214 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"louisianarooflawyers.com [phishing]",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"http://updates.voicemailaccess.net/b0f6a00b15311023",
"I am very upset. Whoever is doing this is sick.",
"https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season",
"https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"http://micrologin.ogspy.net/track/dhl-information-contact.html",
"ransomwaretracker.abuse.ch",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"\u2193Interesting\u2193",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"CVE: CVE-2023-23397",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"There is fear in silence or speaking out",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"workers.dev [extraction \u2022 GET request attack]",
"tx-p2p-pull.video-voip.com.dorm.com",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"hasownproperty.call",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"iamrobert.com Y.A.S.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"From the lovely Cyber Folks .PL Cover",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"IPv4 198.54.117.211 command_and_control",
"https://es.pornhat.com/models/the-sex-creator/",
"https://meumundogay-com.sexogratis.page/locker",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"https://twitter.com/PORNO_SEXYBABES",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"tvapp-server.de",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"zeustracker.abuse.ch",
"sex-ukraine.net",
"IPv4 198.54.117.212 command_and_control",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"Can the DoD no questions asked target a SA victim",
"Target agreed and complied with all lie detector measures.",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"IPv4 198.54.117.217 command_and_control",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"apple-securityiphone-icloud.com",
"IPv4 198.54.117.215 command_and_control",
"www.supernetforme.com [command_and_control]",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"GitHub - peeringdb/peeringdb-py: PeeringDB python client",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"nexus.b2btest.ertelecom.ru",
"ddos.dnsnb8.net [command_and_control]",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"IPv4 198.54.117.218 command_and_control",
"https://labs.inquest.net/iocdb",
"If someone is believed to be a threat they have right to due process.",
"https://github.com/peeringdb/peeringdb-py",
"00-skillsetparadesarrollo.zendesk.com",
"IPv4 198.54.117.210 command_and_control"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [],
"malware_families": [
"Crypt3.blxp",
"Backdoor:win32/simda",
"Dark power",
"Telper:hstr:clean:ninite",
"Trojan:win32/fanop",
"Trojan:win32/zombie",
"Noobyprotect",
"Ransomexx",
"Hallrender",
"Quasar rat",
"Cve-2023-4966",
"Lockbit",
"Worm:win32/mofksys.rnd!mtb",
"Cve-2023-22518",
"Tel:trojandownloader:o97m/msiexecabuse",
"Generic",
"Trojan:win32/comspec",
"Virtool:win32/injector.gen!bq",
"T",
"Worm:win32/mofksys.b",
"Makop",
"Apnic",
"Blacknet",
"Hacktool",
"Qakbot",
"Trojan:msil/clipbanker.gb!mtb",
"Trojan:win32/startpage",
"Trojan:win32/neconyd",
"Hallgrand",
"Virus:win32/floxif.h",
"Pws:win32/vb.cu",
"Ryuk ransomware",
"Win.packed.zusy-7170176-0",
"Win.trojan.generic-9935365-0",
"Ninite",
"Maltiverse",
"Rest api",
"Sabey",
"Trojanspy",
"Trojanspy:win32/swisyn",
"Malware",
"Ransomware",
"Alf:heraklezeval:ransom:win32/cve",
"'win32:trojan-gen",
"Cobalt strike",
"Win.trojan.zbot-9880005-0",
"Fakeav.for",
"Tel:trojan:win64/goclr",
"Malware:addscopytostartup",
"Worm:logo/logic",
"Artro",
"Alf:trojan:win32/cassini_6d4ebdc9",
"Worm:win32/autorun",
"Virtool:win32/obfuscator",
"#lowfi:scpt:kiraasciiobfuscator",
"Ursnif",
"Trojan:win32/dridex",
"Etpro trojan",
"Emotet",
"Lolkek",
"Trojan:win32/cobaltstrike",
"Installcore",
"Backdoor:win32/zegost"
],
"industries": [
"Telecommunications",
"E-commerce"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 26,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68451577ada8bb0aa0834edb",
"name": "X - Business Social Media Account used to attack victim",
"description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.",
"modified": "2025-07-08T04:03:04.386000",
"created": "2025-06-08T04:45:43.423000",
"tags": [
"trojan",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"upxoepplace",
"pulses none",
"related tags",
"none file",
"markus",
"april",
"win32",
"copy",
"usvwu",
"usvw",
"high",
"medium",
"show",
"uss c",
"binary file",
"yara",
"write",
"delphi",
"enigma",
"present mar",
"aaaa",
"united",
"passive dns",
"date",
"present nov",
"moved",
"urls",
"creation date",
"entries",
"body",
"trojandropper",
"susp",
"msr jul",
"next associated",
"pulse pulses",
"mtb jun",
"backdoor",
"content length",
"html document",
"ascii text",
"search",
"internalname",
"entries pe",
"showing",
"filehash",
"md5 add",
"av detections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"size",
"encrypt",
"june",
"hybrid",
"local",
"path",
"click",
"twitter",
"strings",
"url https",
"url http",
"report spam",
"created",
"hours ago",
"bad actor",
"ck ids",
"t1057",
"discovery",
"t1071",
"amer",
"ipv4",
"indicator role",
"title added",
"active related",
"pulses",
"china",
"hong kong",
"russia",
"type indicator",
"role title",
"added active",
"related pulses",
"pulses url",
"filehashsha256",
"url add",
"http",
"ip address",
"related nids",
"files location",
"flag united",
"domain",
"hostname",
"next",
"filehashmd5",
"protocol",
"t1105",
"tool transfer",
"t1480"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 637,
"FileHash-SHA1": 639,
"FileHash-SHA256": 5380,
"domain": 676,
"hostname": 1120,
"URL": 1031,
"SSLCertFingerprint": 4
},
"indicator_count": 9487,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "285 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66f1accda30d94af7e846357",
"name": "Zendesk as VirusTotal \u00bb Ransom:Win32/CVE",
"description": "*https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088 |||\n\n*In this situation a target received a VirusTotal / Zendesk drive by pop up message that site was unauthorized , fraud risk. The link has it all! Downloaders, install core, browser bar malware, ransomware, python script. Heavy attack. Desires deletion of device , accounts and contents.\n |||\nALF:HeraklezEval:Ransom:Win32/CVE , \nALF:Trojan:Win32/Cassini_6d4ebdc9 ,\nBackdoor:Win32/Zegost ,\nCVE-2023-22518 ,\nCVE-2023-4966 ,\nFakeAV.FOR ,\nMalware:AddsCopyToStartup ,\nNinite ,\nNoobyProtect ,\nTEL:Trojan:Win64/GoCLR ,\nTELPER:HSTR:CLEAN:Ninite ,\nTrojan:Win32/Cobaltstrike ,\nTrojan:Win32/Dridex ,\nTrojan:Win32/Fanop ,\nTrojan:Win32/Neconyd ,\nTrojan:Win32/Startpage ,\nTrojan:Win32/Zombie ,\nVirTool:Win32/Injector.gen!BQ ,\nVirTool:Win32/Obfuscator ,\nWin.Trojan.Generic-9935365-0 ,\nWorm:Win32/Autorun",
"modified": "2024-10-23T17:03:27.463000",
"created": "2024-09-23T18:00:45.146000",
"tags": [
"as396982 google",
"setup",
"passive dns",
"unknown",
"ninite sep",
"a td",
"443 ma2592000",
"accept",
"gmt cache",
"trojan",
"status",
"name servers",
"urls",
"creation date",
"search",
"emails",
"servers",
"as15169 google",
"aaaa",
"cname",
"virtool",
"cryp",
"as19527 google",
"win32",
"related pulses",
"file samples",
"files matching",
"date hash",
"trojan features",
"entries",
"search otx",
"telper",
"worm",
"copyright",
"levelblue",
"files domain",
"files related",
"pulses none",
"accept accept",
"as16625 akamai",
"as20940",
"asnone united",
"nxdomain",
"expiration date",
"as21342",
"as132147",
"china",
"as9808 china",
"body",
"all scoreblue",
"backdoor",
"alf features",
"all search",
"domain",
"as15133 verizon",
"as16552 tiggee",
"url https",
"http",
"hostname",
"ninite",
"united states",
"scan endpoints",
"show",
"showing",
"next",
"united",
"as54113",
"github pages",
"formbook cnc",
"checkin",
"mtb aug",
"a domains",
"class",
"twitter",
"certificate",
"record value",
"pulse pulses",
"overview ip",
"address",
"related nids",
"files location",
"div div",
"github",
"meta",
"homepage",
"form",
"as36459",
"g2 tls",
"rsa sha256",
"as29791",
"dynamicloader",
"medium",
"yara detections",
"dynamic",
"filehash",
"sha256",
"february",
"copy",
"otx telemetry",
"related tags",
"a li",
"span p",
"dj ai",
"dongjun jeong",
"a h2",
"writeups",
"infosec journey",
"script urls",
"netherlands",
"a nxdomain",
"aaaa nxdomain",
"cloudfront",
"trojandropper",
"china unknown",
"msie",
"chrome",
"ipv4",
"noobyprotect",
"files",
"peeringdb",
"sign",
"github copilot",
"view",
"notifications",
"branches tags",
"code issues",
"pull",
"write",
"star",
"code",
"stars",
"python",
"shell",
"footer",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"as62597 nsone",
"dnssec",
"win32mydoom sep",
"windows nt",
"wow64",
"khtml",
"gecko",
"query",
"jpn write",
"e0e8e",
"observed dns",
"expiro",
"defender",
"malware",
"possible",
"suspicious",
"activity dns",
"mtb may",
"sameorigin",
"domain name",
"error",
"moved",
"server",
"mtb sep",
"win32cve sep",
"cloud provider",
"reverse dns",
"america asn",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"pulses",
"default",
"yara rule",
"high",
"cnc checkin",
"cape",
"powershell",
"vmprotect",
"local",
"agent",
"domainabuse",
"su liao",
"zhi pin",
"application",
"expiro malware",
"anomalous file",
"june",
"fakedout threat",
"analyzer paste",
"iocs",
"samples",
"exploit",
"germany unknown",
"as14636",
"russia unknown",
"as9123 timeweb",
"as45102 alibaba",
"as43830",
"read c",
"write c",
"process32nextw",
"regsetvalueexa",
"regdword",
"installcore",
"format",
"delphi",
"stack",
"downloader",
"urls http",
"delete c",
"tls handshake",
"number",
"failure",
"delete",
"ids detections",
"fadok",
"template",
"slcc2",
"media center",
"contacted",
"ollydbg",
"internal",
"simda",
"brian sabey",
"going dark",
"stop",
"as14061",
"hostnames",
"as48287 jsc",
"as50340",
"czechia unknown",
"date"
],
"references": [
"https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088",
"GitHub - peeringdb/peeringdb-py: PeeringDB python client",
"00-skillsetparadesarrollo.zendesk.com",
"https://github.com/peeringdb/peeringdb-py",
"From the lovely Cyber Folks .PL Cover"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Poland",
"Australia",
"Austria",
"Canada",
"Netherlands",
"China"
],
"malware_families": [
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2023-4966",
"display_name": "CVE-2023-4966",
"target": null
},
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "TELPER:HSTR:CLEAN:Ninite",
"display_name": "TELPER:HSTR:CLEAN:Ninite",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Trojan:Win32/Dridex",
"display_name": "Trojan:Win32/Dridex",
"target": "/malware/Trojan:Win32/Dridex"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Malware:AddsCopyToStartup",
"display_name": "Malware:AddsCopyToStartup",
"target": null
},
{
"id": "Trojan:Win32/Cobaltstrike",
"display_name": "Trojan:Win32/Cobaltstrike",
"target": "/malware/Trojan:Win32/Cobaltstrike"
},
{
"id": "ALF:Trojan:Win32/Cassini_6d4ebdc9",
"display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9",
"target": null
},
{
"id": "Trojan:Win32/Startpage",
"display_name": "Trojan:Win32/Startpage",
"target": "/malware/Trojan:Win32/Startpage"
},
{
"id": "Backdoor:Win32/Zegost",
"display_name": "Backdoor:Win32/Zegost",
"target": "/malware/Backdoor:Win32/Zegost"
},
{
"id": "Trojan:Win32/Fanop",
"display_name": "Trojan:Win32/Fanop",
"target": "/malware/Trojan:Win32/Fanop"
},
{
"id": "Trojan:Win32/Neconyd",
"display_name": "Trojan:Win32/Neconyd",
"target": "/malware/Trojan:Win32/Neconyd"
},
{
"id": "Trojan:Win32/Zombie",
"display_name": "Trojan:Win32/Zombie",
"target": "/malware/Trojan:Win32/Zombie"
},
{
"id": "Win.Trojan.Generic-9935365-0",
"display_name": "Win.Trojan.Generic-9935365-0",
"target": null
},
{
"id": "Ninite",
"display_name": "Ninite",
"target": null
},
{
"id": "NoobyProtect",
"display_name": "NoobyProtect",
"target": null
},
{
"id": "TEL:Trojan:Win64/GoCLR",
"display_name": "TEL:Trojan:Win64/GoCLR",
"target": null
},
{
"id": "ALF:HeraklezEval:Ransom:Win32/CVE",
"display_name": "ALF:HeraklezEval:Ransom:Win32/CVE",
"target": null
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
}
],
"attack_ids": [
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4891,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2436,
"CVE": 3,
"FileHash-MD5": 2510,
"FileHash-SHA1": 2063,
"FileHash-SHA256": 4054,
"hostname": 1788,
"URL": 1228,
"email": 16
},
"indicator_count": 14098,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 239,
"modified_text": "543 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb4772c3d3ad1f7accc98a",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:53.179000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb476d935dd560b4a3e938",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.380000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb476d0566c2d07e474df5",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.140000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb4768b06f4da2fba5959b",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:44.270000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659560d63178b32f07838efb",
"name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|",
"description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering, spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.",
"modified": "2024-02-02T12:04:41.638000",
"created": "2024-01-03T13:27:50.685000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"unsafeeval",
"path",
"expiressat",
"auto",
"wheels online",
"o tires",
"shop tires",
"html info",
"title shop",
"tires",
"meta tags",
"big o",
"tires language",
"name verdict",
"falcon sandbox",
"samples",
"localappdata",
"json data",
"temp",
"getprocaddress",
"ascii text",
"windir",
"file",
"indicator",
"mitre att",
"ck id",
"factory",
"hybrid",
"model",
"comspec",
"ssl certificate",
"whois record",
"execution",
"contacted",
"historical ssl",
"whois whois",
"simda http",
"collections",
"historical",
"dropped",
"backdoor",
"unknown",
"united",
"asnone",
"show",
"entries",
"search",
"intel",
"ms windows",
"pe32",
"windows nt",
"copy",
"write",
"logic",
"download",
"malware",
"suspicious",
"next",
"destination",
"port",
"components",
"globalnpf",
"china as23724",
"music",
"data c",
"mexico",
"as15169 google",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"win32",
"united kingdom",
"explorer",
"xserver",
"mtb aug",
"location united",
"america asn",
"open",
"trojan",
"worm",
"dataadobereader",
"as397240",
"msie",
"etpro trojan",
"virgin islands",
"script urls",
"creation date",
"record value",
"date",
"a domains",
"all search",
"otx octoseek",
"url http",
"http",
"related nids",
"pulse http",
"url https",
"files location",
"as20940",
"aaaa",
"as2914 ntt",
"canada unknown",
"japan unknown",
"as16625 akamai",
"domain",
"hostname",
"gmt content",
"gmt report",
"0 report",
"sea alt",
"body",
"encrypt",
"social engineering",
"revenge rat",
"rat",
"identity theft",
"credit card",
"referrer",
"communicating",
"bundled",
"family",
"roots",
"lolkek",
"tzw variants",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"ransomware",
"cobalt strike",
"attack",
"core",
"emotet",
"exploit",
"hacktool",
"mail spammer",
"as63949 linode",
"mtb dec",
"checkin m1",
"trojanspy",
"artro",
"remote",
"infostealer"
],
"references": [
"https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Ukraine",
"Georgia",
"India",
"Hong Kong",
"Canada",
"China",
"Indonesia",
"South Africa",
"Germany",
"Slovenia",
"Mexico",
"Netherlands",
"Japan",
"Spain",
"Argentina",
"France",
"Chile",
"Italy",
"Aruba",
"Switzerland",
"United Kingdom of Great Britain and Northern Ireland",
"Denmark",
"Poland",
"Colombia",
"Taiwan",
"Bulgaria",
"Austria",
"Russian Federation",
"Australia",
"Philippines",
"Norway",
"Sweden"
],
"malware_families": [
{
"id": "Trojan:Win32/Comspec",
"display_name": "Trojan:Win32/Comspec",
"target": "/malware/Trojan:Win32/Comspec"
},
{
"id": "#Lowfi:SCPT:KiraAsciiObfuscator",
"display_name": "#Lowfi:SCPT:KiraAsciiObfuscator",
"target": null
},
{
"id": "Backdoor:Win32/Simda",
"display_name": "Backdoor:Win32/Simda",
"target": "/malware/Backdoor:Win32/Simda"
},
{
"id": "Crypt3.BLXP",
"display_name": "Crypt3.BLXP",
"target": null
},
{
"id": "PWS:Win32/VB.CU",
"display_name": "PWS:Win32/VB.CU",
"target": "/malware/PWS:Win32/VB.CU"
},
{
"id": "Trojan:MSIL/ClipBanker.GB!MTB",
"display_name": "Trojan:MSIL/ClipBanker.GB!MTB",
"target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Win.Packed.Zusy-7170176-0",
"display_name": "Win.Packed.Zusy-7170176-0",
"target": null
},
{
"id": "Win.Trojan.Zbot-9880005-0",
"display_name": "Win.Trojan.Zbot-9880005-0",
"target": null
},
{
"id": "'Win32:Trojan-gen",
"display_name": "'Win32:Trojan-gen",
"target": null
},
{
"id": "TEL:TrojanDownloader:O97M/MsiexecAbuse",
"display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse",
"target": null
},
{
"id": "Worm:Win32/Mofksys.B",
"display_name": "Worm:Win32/Mofksys.B",
"target": "/malware/Worm:Win32/Mofksys.B"
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Worm:LOGO/Logic",
"display_name": "Worm:LOGO/Logic",
"target": "/malware/Worm:LOGO/Logic"
},
{
"id": "ETPro Trojan",
"display_name": "ETPro Trojan",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "TrojanSpy:Win32/Swisyn",
"display_name": "TrojanSpy:Win32/Swisyn",
"target": "/malware/TrojanSpy:Win32/Swisyn"
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [
"Telecommunications"
],
"TLP": "green",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 560,
"FileHash-SHA1": 350,
"FileHash-SHA256": 4371,
"URL": 8165,
"domain": 2548,
"hostname": 2813,
"CVE": 4,
"email": 3
},
"indicator_count": 18814,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "807 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "655dafbe9ac9ac786fde45ad",
"name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking",
"description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]",
"modified": "2023-12-22T06:03:01.993000",
"created": "2023-11-22T07:37:34.595000",
"tags": [
"united",
"as22612",
"as2637",
"creation date",
"search",
"moved",
"expiration date",
"date",
"showing",
"as397240",
"next",
"entries",
"scan endpoints",
"all octoseek",
"dns replication",
"win32 exe",
"network capture",
"android",
"android adaway",
"html",
"files",
"detections type",
"name",
"office open",
"xml document",
"namecheap",
"namecheap inc",
"whois lookups",
"win32 dll",
"text",
"wextract",
"text htaccess",
"powershell",
"detection list",
"blacklist",
"first",
"ssl certificate",
"whois record",
"contacted",
"december",
"whois whois",
"threat roundup",
"historical ssl",
"problems",
"referrer",
"pe resource",
"startpage",
"cyber threat",
"redline stealer",
"mail spammer",
"hostname",
"phishing site",
"malicious site",
"installcore",
"http spammer",
"malware site",
"malware",
"generic malware",
"heur",
"generic",
"alexa top",
"million",
"site",
"cisco umbrella",
"alexa",
"ip address",
"algorithm",
"data",
"v3 serial",
"number",
"cat cnzerossl",
"ecc domain",
"secure site",
"ca ozerossl",
"validity",
"subject public",
"server",
"email",
"code",
"registrar abuse",
"country",
"privacy service",
"withheld",
"privacy",
"domain name",
"pattern match",
"ascii text",
"appdata",
"file",
"windows nt",
"svg scalable",
"vector graphics",
"indicator",
"gif image",
"accept",
"hybrid",
"general",
"local",
"pixel",
"click",
"twitter",
"strings",
"class",
"generator",
"critical",
"command_and_control",
"spyware",
"tracking",
"voicemail access",
"dga",
"apple"
],
"references": [
"https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e",
"\u2193Interesting\u2193",
"IPv4 198.54.117.211 command_and_control",
"IPv4 198.54.117.210 command_and_control",
"IPv4 198.54.117.212 command_and_control",
"IPv4 198.54.117.215 command_and_control",
"IPv4 198.54.117.217 command_and_control",
"IPv4 198.54.117.218 command_and_control",
"apple-securityiphone-icloud.com",
"tx-p2p-pull.video-voip.com.dorm.com",
"http://updates.voicemailaccess.net/b0f6a00b15311023",
"tvapp-server.de",
"zeustracker.abuse.ch",
"ransomwaretracker.abuse.ch",
"http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid",
"louisianarooflawyers.com [phishing]",
"hasownproperty.call"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 51,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 105,
"FileHash-SHA1": 100,
"FileHash-SHA256": 3072,
"domain": 1188,
"email": 5,
"URL": 7940,
"hostname": 1925,
"CVE": 1
},
"indicator_count": 14336,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "849 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "cdn-webcloud.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "cdn-webcloud.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776654572.3842704
}