{ "type": "Domain", "indicator": "cisco.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cisco.com", "alexa": "http://www.alexa.com/siteinfo/cisco.com", "indicator": "cisco.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #266", "name": "Akamai Popular Domain" }, { "source": "alexa", "message": "Alexa rank: #918", "name": "Listed on Alexa" }, { "source": "majestic", "message": "Whitelisted domain cisco.com", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain cisco.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 1562142100, "indicator": "cisco.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T12:02:15.044000", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 5 }, "indicator_count": 18414, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03fda242b90bf795becbec", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:02.327000", "created": "2026-05-13T04:27:14.063000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA256": 125, "URL": 137, "domain": 434, "hostname": 200, "FileHash-SHA1": 23, "Mutex": 1, "IPv4": 235, "CVE": 9, "email": 4, "IPv6": 3 }, "indicator_count": 1187, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a4ad960c7470cdc5dc9fb9", "name": "CVE-2026-20127", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T21:20:22.423000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 263, "hostname": 495, "FileHash-MD5": 832, "FileHash-SHA1": 789, "FileHash-SHA256": 2879, "URL": 70, "email": 14 }, "indicator_count": 5346, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a1702ccff0b6afd6c01180", "name": "Strategic Intel Brief: The \"Shadow Corridor\" Persistence", "description": "The forensic convergence of the September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirms a high-fidelity infrastructure alignment targeting the Port of Portland\u2019s aviation assets. By embedding an unauthorized clientAuth extension within a legitimate Amazon RSA signature, the adversary bridged the gap between web traffic and hardware-level telematics, facilitating a sophisticated identity packaging campaign. This operation leveraged the 159,942 Majestic Trust Rank to validate a Serial 1 SOA shadow zone, utilizing ASP.NET Core request smuggling via the 13.32.205.51 node to maintain a low-noise presence across the PDX-HIO-TTD corridor. This alignment is evidenced by the 60-second TTL rotation of 3.169.202.x collection nodes, while the Network Solutions registrant shift to the hex-encoded 3432650ec... ID provides the final administrative anchor for the 2031 lease.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T10:21:32.721000", "tags": [ "a div", "div div", "click", "span", "class", "travelers span", "div language", "cultureen", "english", "culturees", "title", "main" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 20, "URL": 225, "domain": 375, "hostname": 315, "email": 20, "FileHash-SHA256": 122, "CVE": 18 }, "indicator_count": 1110, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699e98024aa93957a620e117", "name": "Cellbrite Domain Irregularities", "description": "The domain displays a \"hardened\" posture typical of high-value targets, though some indicators suggest potential misconfigurations or recent shifts in ownership/management. The domain utilizes multiple clientProhibited flags (Transfer, Update, Delete). This is a \"Registry Lock\" equivalent, ensuring no changes can be made without out-of-band authentication.\n\nExpiration Discrepancy: * Domain Expiration: Feb 24, 2026. (yesterday)\n\nSSL Certificate Validity: April 2026.\nresearcher observations: It is highly irregular for a certificate to outlast the domain registration. This often points to a \"just-in-time\" renewal process or a domain that was recently recovered. Furthermore, the reliance on ParkLogic nameservers indicates a sophisticated approach to traffic routing, likely for load balancing or threat mitigation. Delegation signed: No - Expiration Yesterday (entered 1:32est 2/25/26)", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-25T06:34:42.619000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 431, "hostname": 1625, "FileHash-SHA1": 661, "FileHash-SHA256": 4617, "URL": 359, "FileHash-MD5": 635, "CVE": 43, "email": 22, "CIDR": 6 }, "indicator_count": 8399, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69787dfb890a7099f344356f", "name": "Emergency Patch Released for Microsoft Office Zero - Day Vulnerability", "description": "A recently discovered zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509, has prompted an out-of-band security patch from Microsoft. This high-severity vulnerability carries a CVSS score of 7.8 out of 10.0 and is described as a security feature bypass in Microsoft Office, allowing unauthorized attackers to bypass a security feature locally. The vulnerability affects Microsoft Office 2016 and 2019, as well as Microsoft 365, and can be exploited by sending a specially crafted Of...", "modified": "2026-01-27T08:57:31.646000", "created": "2026-01-27T08:57:31.646000", "tags": [ "initial-access", "execution", "privilege-escalation", "T1190", "T1204", "high", "vta", "threat-intelligence" ], "references": [ "https://www.cisa.gov/news-events/alerts/2026/01/26/cisa-adds-five-known-exploited-vulnerabilities-catalog", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 20, "FileHash-SHA1": 4, "FileHash-SHA256": 1, "domain": 12, "hostname": 15 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694f0aa090aedc7e498b2e9a", "name": "Qakbot | *NEW Malware found and analyzed \u2022 IRS", "description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information. Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.", "modified": "2026-01-25T21:03:27.507000", "created": "2025-12-26T22:22:24.480000", "tags": [ "related tags", "none google", "win32", "united", "united states", "irs", "qakbot", "qbot", "inject", "keylogger", "botx", "active", "bot network", "et trojan", "hello ssl", "destination", "port", "unknown", "ciphersuite", "sessionid", "asnone", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "brazil as16625", "akamai", "united kingdom", "dynamicloader", "medium", "tls handshake", "failure", "yara rule", "high", "cape", "guard", "error", "delphi", "qakbot", "tlsv1", "entries", "iobit unikstall", "global", "read c", "rgba", "unicode", "memcommit", "delete", "msie", "windows nt", "next", "dock", "execution", "server header", "download", "suspicious", "specified", "logic", "web products", "present nov", "present dec", "present jun", "present oct", "present may", "aaaa", "next associated", "urls show", "scheme", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "ascii text", "pattern match", "href", "mitre att", "ck id", "show technique", "ck matrix", "beginstring", "show process", "null", "refresh", "span", "hybrid", "general", "local", "path", "iframe", "click", "strings", "tools", "title", "look", "verify", "restart", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "adult content", "lol fun hackers" ], "references": [ "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware", "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]", "Pandex!gen1 Web Products", "Crypt3.BXVC IDS: Suspicious double Server Header", "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure", "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin", "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)", "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header", "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain", "Crypt3.BXVC IDS: Executable Download from dotted-quad Host", "Crypt3.BXVC IDS: Abuseat.org Block Message", "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP", "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP", "Crypt3.BXVC IDS: Headers - Potential Second Stage Download", "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http", "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp", "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada", "Brazil", "Ireland", "India", "Georgia", "Singapore", "Spain", "Japan" ], "malware_families": [ { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Win.Keylogger.Qbot-9987768-0", "display_name": "Win.Keylogger.Qbot-9987768-0", "target": null }, { "id": "Win.Trojan.Qakbot-9988002-1", "display_name": "Win.Trojan.Qakbot-9988002-1", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Web Products", "display_name": "Web Products", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Finance", "Government", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 158, "URL": 140, "hostname": 287, "FileHash-SHA256": 85, "FileHash-MD5": 110, "FileHash-SHA1": 77, "SSLCertFingerprint": 8 }, "indicator_count": 865, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b61e16cea7624a6606a69", "name": "For Later", "description": "***", "modified": "2025-11-17T18:46:19.094000", "created": "2025-11-17T17:56:49.875000", "tags": [ "wormhole", "want", "sign", "submit send", "copy", "share show", "report delete", "faq roadmap", "security legal", "twitter discord", "protected" ], "references": [ "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72127, "hostname": 16700, "URL": 50 }, "indicator_count": 88877, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66cec16f4b510d325dc923a1", "name": "192.70.175.110 - ELF:Hajime-Q _ Mirai Botnet Malware", "description": "Private IP 192.70.175.110 | Reverse DNS\ndns1.state.co.us showed Mirai Bonet Malware. Under same IP address is an 'alleged' unknown REGRU-RU Passive DNS ns1.ns2.www.madunixxx.ru with a password compromise \u00bb PSW.Generic12.WIO. \nIt's unclear if a Frank Muccio Admin of Security Operations doesn't appear to work on premise in Colorado, There is a Frank Di Muccio SGT involved with RallyPoint, , described as a social group for military personal. Rally Point was seen in very early graphs featuring alleged Rallypoint Pornhub Devs, tied to Brian Sabey. I wasn't able to personally verify this employee in Colorado Possibly contracted OIT by state . The link was recently whitelisted.", "modified": "2024-09-27T03:03:09.340000", "created": "2024-08-28T06:19:27.154000", "tags": [ "as36081 state", "location united", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "mirai", "united states", "united", "ave suite", "purpose p5", "country united", "code us", "name security", "nexus category", "phone number", "postal code", "network", "number", "country us", "continent na", "algorithm", "data", "v3 serial", "cus oapple", "public ev", "server ecc", "g1 validity", "organization", "subject public", "rauschenberg", "apple computer", "applec1z", "mitre att", "evasion ta0005", "hashes", "msie", "windows nt", "wow64", "slcc2", "media center", "response", "request", "accept", "location https", "taiwan as3462", "south korea", "as4766 korea", "high", "japan as17676", "china as45090", "http", "search", "contacted", "malware", "copy", "as41231", "united kingdom", "status", "aaaa", "ddos", "whitelisted", "certificate", "moved", "trojan", "virtool", "encrypt", "software", "initial", "passive dns", "scan endpoints", "all scoreblue", "body", "a domains", "linux ubuntu", "creation date", "enterprise open", "ubuntu", "linux", "social", "window", "code", "ipv4", "urls", "files", "reverse dns", "trojan features", "file samples", "files matching", "date hash", "domain", "address", "name servers", "servers", "intel", "icmp traffic", "dead_host", "network_icmp", "osquery_detection", "nolookup_communication", "pulse pulses", "unknown", "as20940", "as15169 google", "dns show", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "province co", "error", "tr tr", "pulse submit", "url analysis", "hostname", "files ip", "asnone united", "ireland unknown", "brazil unknown", "next", "showing", "gmt content", "apache cache", "pragma", "record value", "trojanproxy", "win32", "title", "server", "alf features", "related pulses", "show", "ip address", "asn as16509", "china unknown", "hichina", "hong kong", "as133775 xiamen", "web server", "authentication", "tls web", "full name", "ca issuers", "as44273 host", "a nxdomain", "avast avg", "russia unknown", "germany unknown", "turkey unknown", "japan unknown", "as16276", "france unknown", "service", "ck ids", "t1082", "t1129", "modules", "t1045", "packing", "t1060", "run keys", "startup" ], "references": [ "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0", "Unix.Trojan.Mirai-6976991-0 FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]", "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru", "Yara: Mirai_Botnet_Malware", "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom", "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21", "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO", "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us", "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]", "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a", "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru", "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive", "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru Created: Jun 19, 2016", "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com", "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 | ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |", "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com", "Yara Detections Mirai_Botnet_Malware", "Detections Executable and linking format (ELF) file download Over HTTP", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "Detections Executable and linking format (ELF) file download Over HTTP", "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College" ], "public": 1, "adversary": "Frank Di MuccioSGT", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "DDoS:Linux/Lightaidra", "display_name": "DDoS:Linux/Lightaidra", "target": "/malware/DDoS:Linux/Lightaidra" }, { "id": "Trojan:Win32/Skeeyah", "display_name": "Trojan:Win32/Skeeyah", "target": "/malware/Trojan:Win32/Skeeyah" }, { "id": "ALF:Trojan:Win32/FlyStudio.PA!MTB", "display_name": "ALF:Trojan:Win32/FlyStudio.PA!MTB", "target": null }, { "id": "Win.Trojan.Tofsee-6840338-0", "display_name": "Win.Trojan.Tofsee-6840338-0", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "PSW.Generic12.WIO", "display_name": "PSW.Generic12.WIO", "target": null }, { "id": "ELF:Hajime-Q", "display_name": "ELF:Hajime-Q", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Telecommunications", "Government", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1108, "hostname": 627, "domain": 628, "URL": 534, "FileHash-MD5": 377, "FileHash-SHA1": 373, "email": 12, "CIDR": 2, "SSLCertFingerprint": 2 }, "indicator_count": 3663, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b0fa3624bf0384e427f2e7", "name": "Tracking Domains 4.2 - 08.19.24", "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)", "modified": "2024-09-04T15:01:01.432000", "created": "2024-08-05T16:13:42.563000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://viz.greynoise.io/query/AS4611", "https://urlscan.io/asn/AS4611", "https://urlscan.io/search/#asn:%22AS4611%22", "https://urlscan.io/asn/AS45090", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://viz.greynoise.io/query/AS45090", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6180, "FileHash-MD5": 1, "domain": 24921, "URL": 10854 }, "indicator_count": 41956, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b1f33258a8e26033b17", "name": "Tracking Domains - Part 4.1", "description": "More Tracking Domains", "modified": "2024-08-30T13:02:28.335000", "created": "2024-04-22T17:15:11.398000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 94496, "FileHash-MD5": 63, "domain": 112327, "URL": 166918, "FileHash-SHA1": 33, "FileHash-SHA256": 103, "CIDR": 216 }, "indicator_count": 374156, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b204ecfba63974dc1d8", "name": "Tracking Domains - Part 4", "description": "More Tracking Domains", "modified": "2024-05-22T17:04:45.215000", "created": "2024-04-22T17:15:12.353000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 792, "FileHash-MD5": 1, "domain": 5803, "URL": 2 }, "indicator_count": 6598, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f15030e45840824f55077", "name": "www.envoyproxy.io", "description": "", "modified": "2023-10-30T02:29:23.078000", "created": "2023-10-30T02:29:23.078000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65190c2a70ef9ab1e96e035a", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 540, "domain": 372, "CVE": 7, "URL": 586, "email": 25, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2021 }, "indicator_count": 4351, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65190c2a70ef9ab1e96e035a", "name": "www.envoyproxy.io", "description": "", "modified": "2023-10-01T06:05:30.167000", "created": "2023-10-01T06:05:30.167000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e51289d6c001f2ab94eb67", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 540, "domain": 372, "CVE": 7, "URL": 586, "email": 25, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2021 }, "indicator_count": 4351, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "973 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e51289d6c001f2ab94eb67", "name": "www.envoyproxy.io", "description": "", "modified": "2023-09-24T00:00:49.866000", "created": "2023-08-22T19:54:49.515000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 540, "domain": 372, "CVE": 7, "URL": 586, "email": 25, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2021 }, "indicator_count": 4351, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "980 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79746fce8c23d601a8256", "name": "www.envoyproxy.io (by ellenmmm)", "description": "", "modified": "2023-09-23T00:03:13.532000", "created": "2023-08-24T17:45:42.222000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e51289d6c001f2ab94eb67", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 445, "domain": 311, "CVE": 7, "URL": 459, "email": 17, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2001 }, "indicator_count": 4040, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "981 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "Yara Detections Mirai_Botnet_Malware", "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive", "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com", "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "Crypt3.BXVC IDS: Executable Download from dotted-quad Host", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College", "Pandex!gen1 Web Products", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "https://urlscan.io/search/#asn:%22AS4611%22", "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]", "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)", "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 | ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "https://viz.greynoise.io/query/AS45090", "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware", "Crypt3.BXVC IDS: Abuseat.org Block Message", "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru Created: Jun 19, 2016", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0", "https://urlscan.io/search/#asn%3A%22AS45090%22", "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us", "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru", "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO", "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP", "Crypt3.BXVC IDS: Headers - Potential Second Stage Download", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure", "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]", "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551", "Crypt3.BXVC IDS: Suspicious double Server Header", "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru", "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21", "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af", "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom", "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin", "https://urlscan.io/asn/AS4611", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be", "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp", "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a", "Unix.Trojan.Mirai-6976991-0 FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]", "https://viz.greynoise.io/query/AS4611", "https://www.cisa.gov/news-events/alerts/2026/01/26/cisa-adds-five-known-exploited-vulnerabilities-catalog", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "Detections Executable and linking format (ELF) file download Over HTTP", "https://urlscan.io/asn/AS45090", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "Yara: Mirai_Botnet_Malware", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509", "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP", "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Frank Di MuccioSGT" ], "malware_families": [ "Ddos:linux/lightaidra", "Et", "Win.malware.snojan-6775202-0", "Mirai", "#lowfienabledtcontinueafterunpacking", "Trojan:win32/skeeyah", "Win.keylogger.qbot-9987768-0", "Alf:trojan:win32/flystudio.pa!mtb", "Pandex!gen1", "Elf:hajime-q", "Psw.generic12.wio", "Botnet", "Win.trojan.tofsee-6840338-0", "Win32:botx-gen\\ [trj]", "Web products", "Win.trojan.qakbot-9988002-1", "Inject2.bive", "Crypt3.bxvc" ], "industries": [ "Civilian society", "Telecommunications", "Technology", "Government", "Healthcare", "Irs", "Finance", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T12:02:15.044000", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 5 }, "indicator_count": 18414, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03fda242b90bf795becbec", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:02.327000", "created": "2026-05-13T04:27:14.063000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA256": 125, "URL": 137, "domain": 434, "hostname": 200, "FileHash-SHA1": 23, "Mutex": 1, "IPv4": 235, "CVE": 9, "email": 4, "IPv6": 3 }, "indicator_count": 1187, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a4ad960c7470cdc5dc9fb9", "name": "CVE-2026-20127", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T21:20:22.423000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 263, "hostname": 495, "FileHash-MD5": 832, "FileHash-SHA1": 789, "FileHash-SHA256": 2879, "URL": 70, "email": 14 }, "indicator_count": 5346, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a1702ccff0b6afd6c01180", "name": "Strategic Intel Brief: The \"Shadow Corridor\" Persistence", "description": "The forensic convergence of the September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirms a high-fidelity infrastructure alignment targeting the Port of Portland\u2019s aviation assets. By embedding an unauthorized clientAuth extension within a legitimate Amazon RSA signature, the adversary bridged the gap between web traffic and hardware-level telematics, facilitating a sophisticated identity packaging campaign. This operation leveraged the 159,942 Majestic Trust Rank to validate a Serial 1 SOA shadow zone, utilizing ASP.NET Core request smuggling via the 13.32.205.51 node to maintain a low-noise presence across the PDX-HIO-TTD corridor. This alignment is evidenced by the 60-second TTL rotation of 3.169.202.x collection nodes, while the Network Solutions registrant shift to the hex-encoded 3432650ec... ID provides the final administrative anchor for the 2031 lease.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T10:21:32.721000", "tags": [ "a div", "div div", "click", "span", "class", "travelers span", "div language", "cultureen", "english", "culturees", "title", "main" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 20, "URL": 225, "domain": 375, "hostname": 315, "email": 20, "FileHash-SHA256": 122, "CVE": 18 }, "indicator_count": 1110, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699e98024aa93957a620e117", "name": "Cellbrite Domain Irregularities", "description": "The domain displays a \"hardened\" posture typical of high-value targets, though some indicators suggest potential misconfigurations or recent shifts in ownership/management. The domain utilizes multiple clientProhibited flags (Transfer, Update, Delete). This is a \"Registry Lock\" equivalent, ensuring no changes can be made without out-of-band authentication.\n\nExpiration Discrepancy: * Domain Expiration: Feb 24, 2026. (yesterday)\n\nSSL Certificate Validity: April 2026.\nresearcher observations: It is highly irregular for a certificate to outlast the domain registration. This often points to a \"just-in-time\" renewal process or a domain that was recently recovered. Furthermore, the reliance on ParkLogic nameservers indicates a sophisticated approach to traffic routing, likely for load balancing or threat mitigation. Delegation signed: No - Expiration Yesterday (entered 1:32est 2/25/26)", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-25T06:34:42.619000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 431, "hostname": 1625, "FileHash-SHA1": 661, "FileHash-SHA256": 4617, "URL": 359, "FileHash-MD5": 635, "CVE": 43, "email": 22, "CIDR": 6 }, "indicator_count": 8399, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69787dfb890a7099f344356f", "name": "Emergency Patch Released for Microsoft Office Zero - Day Vulnerability", "description": "A recently discovered zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509, has prompted an out-of-band security patch from Microsoft. This high-severity vulnerability carries a CVSS score of 7.8 out of 10.0 and is described as a security feature bypass in Microsoft Office, allowing unauthorized attackers to bypass a security feature locally. The vulnerability affects Microsoft Office 2016 and 2019, as well as Microsoft 365, and can be exploited by sending a specially crafted Of...", "modified": "2026-01-27T08:57:31.646000", "created": "2026-01-27T08:57:31.646000", "tags": [ "initial-access", "execution", "privilege-escalation", "T1190", "T1204", "high", "vta", "threat-intelligence" ], "references": [ "https://www.cisa.gov/news-events/alerts/2026/01/26/cisa-adds-five-known-exploited-vulnerabilities-catalog", "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 20, "FileHash-SHA1": 4, "FileHash-SHA256": 1, "domain": 12, "hostname": 15 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694f0aa090aedc7e498b2e9a", "name": "Qakbot | *NEW Malware found and analyzed \u2022 IRS", "description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information. Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.", "modified": "2026-01-25T21:03:27.507000", "created": "2025-12-26T22:22:24.480000", "tags": [ "related tags", "none google", "win32", "united", "united states", "irs", "qakbot", "qbot", "inject", "keylogger", "botx", "active", "bot network", "et trojan", "hello ssl", "destination", "port", "unknown", "ciphersuite", "sessionid", "asnone", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "brazil as16625", "akamai", "united kingdom", "dynamicloader", "medium", "tls handshake", "failure", "yara rule", "high", "cape", "guard", "error", "delphi", "qakbot", "tlsv1", "entries", "iobit unikstall", "global", "read c", "rgba", "unicode", "memcommit", "delete", "msie", "windows nt", "next", "dock", "execution", "server header", "download", "suspicious", "specified", "logic", "web products", "present nov", "present dec", "present jun", "present oct", "present may", "aaaa", "next associated", "urls show", "scheme", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "ascii text", "pattern match", "href", "mitre att", "ck id", "show technique", "ck matrix", "beginstring", "show process", "null", "refresh", "span", "hybrid", "general", "local", "path", "iframe", "click", "strings", "tools", "title", "look", "verify", "restart", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "adult content", "lol fun hackers" ], "references": [ "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware", "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]", "Pandex!gen1 Web Products", "Crypt3.BXVC IDS: Suspicious double Server Header", "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure", "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin", "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)", "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header", "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain", "Crypt3.BXVC IDS: Executable Download from dotted-quad Host", "Crypt3.BXVC IDS: Abuseat.org Block Message", "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP", "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP", "Crypt3.BXVC IDS: Headers - Potential Second Stage Download", "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http", "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp", "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada", "Brazil", "Ireland", "India", "Georgia", "Singapore", "Spain", "Japan" ], "malware_families": [ { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Win.Keylogger.Qbot-9987768-0", "display_name": "Win.Keylogger.Qbot-9987768-0", "target": null }, { "id": "Win.Trojan.Qakbot-9988002-1", "display_name": "Win.Trojan.Qakbot-9988002-1", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Web Products", "display_name": "Web Products", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Finance", "Government", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 158, "URL": 140, "hostname": 287, "FileHash-SHA256": 85, "FileHash-MD5": 110, "FileHash-SHA1": 77, "SSLCertFingerprint": 8 }, "indicator_count": 865, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b61e16cea7624a6606a69", "name": "For Later", "description": "***", "modified": "2025-11-17T18:46:19.094000", "created": "2025-11-17T17:56:49.875000", "tags": [ "wormhole", "want", "sign", "submit send", "copy", "share show", "report delete", "faq roadmap", "security legal", "twitter discord", "protected" ], "references": [ "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72127, "hostname": 16700, "URL": 50 }, "indicator_count": 88877, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cisco.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cisco.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780258877.8036642 }