{ "type": "Domain", "indicator": "cloudwaysapps.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cloudwaysapps.com", "alexa": "http://www.alexa.com/siteinfo/cloudwaysapps.com", "indicator": "cloudwaysapps.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain cloudwaysapps.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 1607626682, "indicator": "cloudwaysapps.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e453480756c42b4560d9ee", "name": "DugganUSA Threat Intel 2026-04-19 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-19T04:00:08.264000", "created": "2026-04-19T04:00:08.264000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Hong Kong", "Korea, Republic of", "Brazil", "Germany", "Japan", "China", "Iceland", "Poland", "Netherlands", "Sweden", "Bulgaria", "Mexico", "Australia", "Norway", "Switzerland", "Italy", "Ireland", "Canada", "Romania", "Russian Federation", "Israel", "Luxembourg", "Spain", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Lithuania", "Liechtenstein", "France", "United Arab Emirates", "Belgium" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 525, "domain": 18, "hostname": 38 }, "indicator_count": 581, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "12 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e301d3cb1d0884bf2c6fab", "name": "DugganUSA Threat Intel 2026-04-18 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-18T04:00:19.517000", "created": "2026-04-18T04:00:19.517000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hong Kong", "Korea, Republic of", "Brazil", "Germany", "Singapore", "Japan", "China", "Iceland", "Poland", "Netherlands", "Sweden", "Bulgaria", "Mexico", "Australia", "Norway", "Switzerland", "Italy", "Ireland", "Canada", "Romania", "Russian Federation", "Israel", "United Kingdom of Great Britain and Northern Ireland", "Luxembourg", "Spain", "Denmark", "Lithuania", "Liechtenstein", "France", "United Arab Emirates", "Belgium" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 539, "domain": 19, "hostname": 38 }, "indicator_count": 596, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628dff37032808c7c9e014dc", "name": "Sauron - Malware Domain Feed V2", "description": "Command and Control domains for Sauron. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-17T06:25:54.995000", "created": "2022-05-25T10:04:39.623000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 156427, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48998, "domain": 83143 }, "indicator_count": 132141, "is_author": false, "is_subscribing": null, "subscriber_count": 1550, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1b047e499b15de56cffdb", "name": "DugganUSA Threat Intel 2026-04-17 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-17T04:00:07.200000", "created": "2026-04-17T04:00:07.200000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "United States of America", "Hong Kong", "Singapore", "Brazil", "Japan", "China", "Iceland", "Poland", "Netherlands", "Sweden", "Mexico", "Australia", "Canada", "Norway", "Switzerland", "Italy", "Ireland", "Korea, Republic of", "Romania", "Russian Federation", "Israel", "United Kingdom of Great Britain and Northern Ireland", "Luxembourg", "Denmark", "Lithuania", "France", "Liechtenstein", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 529, "domain": 19, "hostname": 40 }, "indicator_count": 588, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-17T03:00:09.717000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 508638, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48210, "domain": 72684 }, "indicator_count": 120894, "is_author": false, "is_subscribing": null, "subscriber_count": 1699, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e05ec7e4706f72a771a396", "name": "DugganUSA Threat Intel 2026-04-16 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-16T04:00:07.813000", "created": "2026-04-16T04:00:07.813000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Korea, Republic of", "Singapore", "Hong Kong", "Germany", "Brazil", "Japan", "China", "Netherlands", "Iceland", "Poland", "Sweden", "Mexico", "Australia", "Canada", "Norway", "Switzerland", "Italy", "Ireland", "Romania", "Russian Federation", "Israel", "Spain", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Jordan", "Lithuania", "France", "Liechtenstein", "United Arab Emirates", "Belgium" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 615, "domain": 19, "hostname": 42 }, "indicator_count": 676, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69df0d676d7404f7fe08497c", "name": "DugganUSA Threat Intel 2026-04-15 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-15T04:00:38.993000", "created": "2026-04-15T04:00:38.993000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Malaysia", "Netherlands", "United States of America", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Cambodia", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Hong Kong", "Singapore", "Germany", "Brazil", "China", "Iceland", "Poland", "Pakistan", "Sweden", "Mexico", "Australia", "Norway", "Switzerland", "Italy", "Ireland", "Romania", "Israel", "Spain", "Denmark", "Lithuania", "Liechtenstein", "France" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv6": 2, "IPv4": 738, "hostname": 41, "domain": 18 }, "indicator_count": 799, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ddbbc87e54f91f9125fbca", "name": "DugganUSA Threat Intel 2026-04-14 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-14T04:00:08.335000", "created": "2026-04-14T04:00:08.335000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Belgium", "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Hong Kong", "Singapore", "Germany", "Brazil", "China", "Iceland", "Poland", "Netherlands", "Pakistan", "Sweden", "Bulgaria", "Syrian Arab Republic", "Mexico", "Australia", "Norway", "Switzerland", "Italy", "Ireland", "Romania", "Israel", "Spain", "Uzbekistan", "Denmark", "Iraq", "Lithuania", "Liechtenstein", "France" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 674, "hostname": 42, "domain": 19 }, "indicator_count": 735, "is_author": false, "is_subscribing": null, "subscriber_count": 173, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dc6a520cee325182f37d08", "name": "DugganUSA Threat Intel 2026-04-13 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-13T04:00:18.411000", "created": "2026-04-13T04:00:18.411000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Singapore", "Germany", "Hong Kong", "China", "Brazil", "Iceland", "Poland", "Netherlands", "T\u00fcrkiye", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Ireland", "Romania", "Israel", "Spain", "United Kingdom of Great Britain and Northern Ireland", "Uzbekistan", "Denmark", "Lithuania", "Liechtenstein", "France" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 651, "hostname": 41, "domain": 19 }, "indicator_count": 711, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69db18ca8f5926dac8dbd22f", "name": "DugganUSA Threat Intel 2026-04-12 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-12T04:00:10.730000", "created": "2026-04-12T04:00:10.730000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Singapore", "France", "United Arab Emirates", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 13, "hostname": 47, "domain": 20 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d9c749b597d4ee829b4dfa", "name": "DugganUSA Threat Intel 2026-04-11 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-11T04:00:09.515000", "created": "2026-04-11T04:00:09.515000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Netherlands", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Russian Federation", "Serbia", "China", "United Arab Emirates", "Korea, Republic of", "Germany", "Canada", "India", "Hong Kong", "Singapore", "Brazil", "Indonesia", "Lithuania", "Iceland", "Poland", "T\u00fcrkiye", "France", "Sweden", "Mexico", "Norway", "Italy", "Israel", "Spain", "Ireland", "Australia", "Romania", "Denmark", "Georgia", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 784, "hostname": 42, "domain": 19 }, "indicator_count": 845, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d875ca56c9bb98dca9b405", "name": "DugganUSA Threat Intel 2026-04-10 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-10T04:00:10.603000", "created": "2026-04-10T04:00:10.603000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "Netherlands", "United States of America", "Sweden", "Hong Kong", "Singapore", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 38, "hostname": 44, "domain": 19 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7244a5236345da33deda5", "name": "DugganUSA Threat Intel 2026-04-09 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-09T04:00:10.418000", "created": "2026-04-09T04:00:10.418000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Hong Kong", "China", "Romania", "Netherlands", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Singapore", "Germany", "Brazil", "Indonesia", "Iceland", "Poland", "France", "Sweden", "Mexico", "Norway", "Italy", "Israel", "Spain", "Ireland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 820, "IPv6": 2, "hostname": 42, "domain": 17 }, "indicator_count": 881, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ae45c8c4164ffb483918d4", "name": "DugganUSA Threat Intel 2026-03-09 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-08T04:13:00.325000", "created": "2026-03-09T04:00:08.559000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "Hong Kong", "China", "Romania", "Netherlands", "United States of America", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Russian Federation", "Ireland", "Serbia", "Germany", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Singapore", "Indonesia", "Iceland", "Poland", "France", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Bulgaria", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 44, "domain": 15 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4814bb45f9dbeba73aadd", "name": "DugganUSA Threat Intel 2026-04-07 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-07T04:00:11.803000", "created": "2026-04-07T04:00:11.803000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Sweden", "Russian Federation", "Hong Kong", "Singapore", "France", "United Arab Emirates", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "hostname": 46, "domain": 17 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aba2c6a6f5f14057dcecd5", "name": "DugganUSA Threat Intel 2026-03-07 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-06T04:01:24.170000", "created": "2026-03-07T04:00:06.458000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Switzerland", "Brazil", "Singapore", "Hong Kong", "Romania", "Netherlands", "Finland", "Germany", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Indonesia", "Iceland", "Poland", "Andorra", "France", "Ecuador", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Ireland", "Lithuania", "Denmark", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 43, "domain": 14 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d32fca20f45fda5c20e0d0", "name": "DugganUSA Threat Intel 2026-04-06 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-06T04:00:10.366000", "created": "2026-04-06T04:00:10.366000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Denmark", "Netherlands", "Hong Kong", "Singapore", "Korea, Republic of", "Georgia", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "United States of America", "Sweden", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 41, "hostname": 43, "domain": 16 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aa514d9456282d0e435cd5", "name": "DugganUSA Threat Intel 2026-03-06 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-05T04:17:20.242000", "created": "2026-03-06T04:00:13.878000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Germany", "Denmark", "Netherlands", "Hong Kong", "Singapore", "Korea, Republic of", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "Sweden", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 16 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a8ffc77b27598238f787ca", "name": "DugganUSA Threat Intel 2026-03-05 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-04T04:25:37.232000", "created": "2026-03-05T04:00:07.516000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "India", "United States of America", "Japan", "Canada", "Germany", "Netherlands", "Czechia", "France", "Kyrgyzstan", "China", "Switzerland", "Brazil", "Hong Kong", "Romania", "United Kingdom of Great Britain and Northern Ireland", "Belgium", "Russian Federation", "Serbia", "Dominican Republic", "United Arab Emirates", "Korea, Republic of", "Somalia", "Singapore", "Indonesia", "Iceland", "Andorra", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Ireland", "Finland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d08ccedc6258012de944ac", "name": "DugganUSA Threat Intel 2026-04-04 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-04T04:00:14.853000", "created": "2026-04-04T04:00:14.853000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Romania", "Russian Federation", "Israel", "Germany", "Netherlands", "Spain", "Japan", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Hong Kong", "Korea, Republic of", "Lithuania", "Canada", "Liechtenstein", "Sweden", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 134, "hostname": 42, "domain": 16 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a7ae4accaad1f5748fa1df", "name": "DugganUSA Threat Intel 2026-03-04 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-03T04:02:21.345000", "created": "2026-03-04T04:00:10.157000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Denmark", "Romania", "Germany", "Hong Kong", "Singapore", "Korea, Republic of", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "Sweden", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 36, "domain": 14 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf3b4b36574f7a07ef2f9c", "name": "DugganUSA Threat Intel 2026-04-03 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-03T04:00:11.016000", "created": "2026-04-03T04:00:11.016000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Netherlands", "Hong Kong", "Singapore", "France", "United Arab Emirates", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 15, "hostname": 44, "domain": 16 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cde9cad6bf1e2f0b6a5023", "name": "DugganUSA Threat Intel 2026-04-02 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-02T04:00:10.140000", "created": "2026-04-02T04:00:10.140000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Korea, Republic of", "Germany", "Hong Kong", "China", "Brazil", "Japan", "Indonesia", "Bangladesh", "Iceland", "Poland", "Netherlands", "France", "Sweden", "Mexico", "Australia", "Canada", "Norway", "Italy", "Israel", "Spain", "Ireland", "Romania", "Russian Federation", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Lithuania", "Liechtenstein", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 697, "hostname": 41, "domain": 16 }, "indicator_count": 754, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a50b4a137b84efb6985f99", "name": "DugganUSA Threat Intel 2026-03-02 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-01T04:09:22.428000", "created": "2026-03-02T04:00:10.779000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "United States of America", "Denmark", "Romania", "Germany", "Hong Kong", "Singapore", "Korea, Republic of", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "Sweden", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 38, "domain": 15 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc98479ad80e04e5c04a9b", "name": "DugganUSA Threat Intel 2026-04-01 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-01T04:00:07.570000", "created": "2026-04-01T04:00:07.570000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France", "Kyrgyzstan", "China", "Switzerland", "Hong Kong", "Romania", "Netherlands", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Russian Federation", "Iraq", "Serbia", "Venezuela, Bolivarian Republic of", "United Arab Emirates", "Korea, Republic of", "Germany", "Canada", "India", "Singapore", "Brazil", "Indonesia", "Bangladesh", "Iceland", "Poland", "Ecuador", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Ireland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 968, "IPv6": 1, "hostname": 22, "domain": 7 }, "indicator_count": 998, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb46cacf98c744142f85d6", "name": "DugganUSA Threat Intel 2026-03-31 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-31T04:00:10.253000", "created": "2026-03-31T04:00:10.253000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hong Kong", "China", "Romania", "Netherlands", "Ireland", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Russian Federation", "Iraq", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Singapore", "Germany", "Brazil", "Indonesia", "Iceland", "Poland", "France", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 908, "hostname": 32, "domain": 15 }, "indicator_count": 955, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a2684891ea48dcde4f3f70", "name": "DugganUSA Threat Intel 2026-02-28 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-30T04:17:41.802000", "created": "2026-02-28T04:00:08.652000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "United States of America", "Denmark", "Romania", "Germany", "Hong Kong", "Singapore", "Korea, Republic of", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "Sweden", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 38, "domain": 15 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a116ca0eb5a0c80a0fa4fa", "name": "DugganUSA Threat Intel 2026-02-27 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-29T04:31:27.969000", "created": "2026-02-27T04:00:10.882000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Germany", "Denmark", "Netherlands", "Hong Kong", "Singapore", "Korea, Republic of", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "Sweden", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 37, "domain": 14 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c8a3d16908ef5c5039c021", "name": "DugganUSA Threat Intel 2026-03-29 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-29T04:00:16.991000", "created": "2026-03-29T04:00:16.991000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Uzbekistan", "Netherlands", "Denmark", "Romania", "Germany", "Hong Kong", "Singapore", "Korea, Republic of", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "Sweden", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 68, "hostname": 41, "domain": 15 }, "indicator_count": 124, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc5461f1f5430448e6972", "name": "DugganUSA Threat Intel 2026-02-26 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-28T04:22:05.035000", "created": "2026-02-26T04:00:06.469000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "India", "United States of America", "Japan", "Canada", "Germany", "Netherlands", "France", "Kyrgyzstan", "China", "Switzerland", "Brazil", "Hong Kong", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Belgium", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Singapore", "Indonesia", "Iceland", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Ireland", "Finland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "domain": 11 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699e73c61f304d0d5c1e6f3a", "name": "DugganUSA Threat Intel 2026-02-25 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-27T04:00:25.820000", "created": "2026-02-25T04:00:06.674000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "United States of America", "Canada", "Germany", "Netherlands", "France", "Kyrgyzstan", "China", "Switzerland", "Hong Kong", "Romania", "United Kingdom of Great Britain and Northern Ireland", "Belgium", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "India", "Singapore", "Brazil", "Indonesia", "Iceland", "Poland", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Ireland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "domain": 13 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699d2247f3b60c4596b94e5f", "name": "DugganUSA Threat Intel 2026-02-24 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-26T04:07:58.452000", "created": "2026-02-24T04:00:07.609000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "Romania", "Finland", "United States of America", "Netherlands", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Indonesia", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Germany", "Canada", "India", "Singapore", "Hong Kong", "Brazil", "Iceland", "Poland", "France", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Ireland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "domain": 14 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699a7f47b02731af0274325d", "name": "DugganUSA Threat Intel 2026-02-22 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-24T04:18:55.990000", "created": "2026-02-22T04:00:07.350000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "United States of America", "Germany", "Netherlands", "France", "Kyrgyzstan", "China", "Switzerland", "Brazil", "Hong Kong", "Romania", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Singapore", "Indonesia", "Australia", "Iceland", "Poland", "Sweden", "Mexico", "Norway", "Italy", "Israel", "Spain", "Ireland", "Finland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 36, "domain": 14 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69992dc6b7f94ecb6390f982", "name": "DugganUSA Threat Intel 2026-02-21 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-23T04:01:15.910000", "created": "2026-02-21T04:00:06.281000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "India", "United States of America", "Japan", "Germany", "Netherlands", "France", "Kyrgyzstan", "China", "Switzerland", "Brazil", "Hong Kong", "Romania", "Finland", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "Singapore", "Indonesia", "Australia", "Iceland", "Sweden", "Mexico", "Norway", "Italy", "Israel", "Spain", "Ireland", "Lebanon", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 37, "domain": 13 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997dc463cd7b64a8ec21008", "name": "DugganUSA Threat Intel 2026-02-20 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-22T04:06:32.319000", "created": "2026-02-20T04:00:06.244000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "India", "United States of America", "Japan", "Germany", "Netherlands", "France", "Kyrgyzstan", "China", "Switzerland", "Brazil", "Hong Kong", "Romania", "Finland", "Malaysia", "United Kingdom of Great Britain and Northern Ireland", "Singapore", "Belgium", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "Indonesia", "Iceland", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Ireland", "Lebanon", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69968ac6ed99d5169ba3ff25", "name": "DugganUSA Threat Intel 2026-02-19 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-21T04:18:57.970000", "created": "2026-02-19T04:00:06.855000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "United States of America", "Japan", "Germany", "Netherlands", "France", "Kyrgyzstan", "China", "Switzerland", "Brazil", "Hong Kong", "Romania", "Finland", "Malaysia", "United Kingdom of Great Britain and Northern Ireland", "Singapore", "Belgium", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "South Africa", "Indonesia", "Iceland", "Poland", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Ireland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "domain": 13 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6993e7c802253cd990d32963", "name": "DugganUSA Threat Intel 2026-02-17 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-19T04:00:14.122000", "created": "2026-02-17T04:00:08.943000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "India", "United States of America", "Japan", "Germany", "Netherlands", "France", "Kyrgyzstan", "China", "Switzerland", "Brazil", "Hong Kong", "Romania", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "Singapore", "Indonesia", "Iceland", "Sweden", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Ireland", "Finland", "Bulgaria", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 26, "domain": 8 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699296457ec1c92ec1dfd415", "name": "DugganUSA Threat Intel 2026-02-16 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-18T04:01:42.702000", "created": "2026-02-16T04:00:05.808000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "India", "United States of America", "Japan", "Germany", "Netherlands", "France", "Kyrgyzstan", "China", "Switzerland", "Brazil", "Hong Kong", "Romania", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "Singapore", "Indonesia", "Iceland", "Sweden", "Slovenia", "Mexico", "Australia", "Norway", "Italy", "Israel", "Spain", "Ireland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "domain": 14 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699144c7850d04a78723e3b4", "name": "DugganUSA Threat Intel 2026-02-15 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-17T04:07:47.084000", "created": "2026-02-15T04:00:07.415000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Singapore", "Germany", "Hong Kong", "Brazil", "Indonesia", "China", "Iceland", "Poland", "Netherlands", "France", "Sweden", "Slovenia", "Mexico", "Norway", "Switzerland", "Italy", "Israel", "Spain", "Ireland", "Australia", "Romania", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 35, "domain": 13 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d504545746e889d281083", "name": "DugganUSA Threat Intel 2026-02-12 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-14T04:06:00.296000", "created": "2026-02-12T04:00:05.788000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "United States of America", "Germany", "Netherlands", "France", "Kyrgyzstan", "China", "Switzerland", "Brazil", "Hong Kong", "Romania", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "South Africa", "Singapore", "Indonesia", "Iceland", "Poland", "Sweden", "Mexico", "Norway", "Italy", "Israel", "Spain", "Ireland", "Australia", "Finland", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "domain": 14 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 173, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698bfeca78357b2767295b17", "name": "DugganUSA Threat Intel 2026-02-11 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-13T05:44:19.622000", "created": "2026-02-11T04:00:10.839000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Switzerland", "Netherlands", "Denmark", "Romania", "Germany", "Hong Kong", "Singapore", "Korea, Republic of", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "Sweden", "United Kingdom of Great Britain and Northern Ireland", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "domain": 14 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698aad494f927d1b0ae40f74", "name": "DugganUSA Threat Intel 2026-02-10 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-12T04:07:26.432000", "created": "2026-02-10T04:00:09.005000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Kosovo", "Bulgaria", "Netherlands", "Denmark", "Romania", "Germany", "Canada", "Hong Kong", "Singapore", "Korea, Republic of", "Lithuania", "Russian Federation", "Liechtenstein", "Sweden", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 31, "domain": 14 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69895bd1e959d974807f08d3", "name": "DugganUSA Threat Intel 2026-02-09 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-11T04:02:50.189000", "created": "2026-02-09T04:00:17.659000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Singapore", "France", "United Arab Emirates", "Kosovo", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 38, "domain": 14 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69880a493bc0059c39a7b855", "name": "DugganUSA Threat Intel 2026-02-08 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-10T04:01:46.435000", "created": "2026-02-08T04:00:08.977000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Netherlands", "Denmark", "Romania", "Germany", "Hong Kong", "Singapore", "Korea, Republic of", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "Sweden", "France", "United Arab Emirates", "Kosovo" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 40, "domain": 14 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698567496dc4f57e30d6bc7e", "name": "DugganUSA Threat Intel 2026-02-06 #3", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-08T04:02:26.337000", "created": "2026-02-06T04:00:09.149000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Romania", "Germany", "Hong Kong", "Singapore", "Korea, Republic of", "Lithuania", "Russian Federation", "Canada", "Liechtenstein", "Sweden", "France", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 40, "domain": 14 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698415cb7f0540e9d5ab823a", "name": "DugganUSA Threat Intel 2026-02-05 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-03-07T04:05:02.616000", "created": "2026-02-05T04:00:06.650000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "India", "United States of America", "Japan", "Germany", "Netherlands", "France", "Kyrgyzstan", "China", "Switzerland", "Brazil", "Hong Kong", "Romania", "Sweden", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Russian Federation", "Serbia", "Venezuela, Bolivarian Republic of", "United Arab Emirates", "Korea, Republic of", "Canada", "Singapore", "Indonesia", "Iceland", "Mexico", "Norway", "Italy", "Israel", "Spain", "Ireland", "Australia", "Denmark", "Lithuania", "Liechtenstein" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 41, "domain": 14 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "T1110.001 (Brute Force: Password Guessing)", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "Verification failure observed in automated verification handlers during sandbox replay.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "https://www.abuseipdb.com", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "Obfuscation: XOR-based String Encryption (0x20)", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s" ], "malware_families": [ "Malware family: stealthworker / gobrut", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf" ], "industries": [ "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e453480756c42b4560d9ee", "name": "DugganUSA Threat Intel 2026-04-19 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-19T04:00:08.264000", "created": "2026-04-19T04:00:08.264000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Hong Kong", "Korea, Republic of", "Brazil", "Germany", "Japan", "China", "Iceland", "Poland", "Netherlands", "Sweden", "Bulgaria", "Mexico", "Australia", "Norway", "Switzerland", "Italy", "Ireland", "Canada", "Romania", "Russian Federation", "Israel", "Luxembourg", "Spain", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Lithuania", "Liechtenstein", "France", "United Arab Emirates", "Belgium" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 525, "domain": 18, "hostname": 38 }, "indicator_count": 581, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "12 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e301d3cb1d0884bf2c6fab", "name": "DugganUSA Threat Intel 2026-04-18 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-18T04:00:19.517000", "created": "2026-04-18T04:00:19.517000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hong Kong", "Korea, Republic of", "Brazil", "Germany", "Singapore", "Japan", "China", "Iceland", "Poland", "Netherlands", "Sweden", "Bulgaria", "Mexico", "Australia", "Norway", "Switzerland", "Italy", "Ireland", "Canada", "Romania", "Russian Federation", "Israel", "United Kingdom of Great Britain and Northern Ireland", "Luxembourg", "Spain", "Denmark", "Lithuania", "Liechtenstein", "France", "United Arab Emirates", "Belgium" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 539, "domain": 19, "hostname": 38 }, "indicator_count": 596, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628dff37032808c7c9e014dc", "name": "Sauron - Malware Domain Feed V2", "description": "Command and Control domains for Sauron. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-17T06:25:54.995000", "created": "2022-05-25T10:04:39.623000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 156427, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48998, "domain": 83143 }, "indicator_count": 132141, "is_author": false, "is_subscribing": null, "subscriber_count": 1550, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1b047e499b15de56cffdb", "name": "DugganUSA Threat Intel 2026-04-17 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-17T04:00:07.200000", "created": "2026-04-17T04:00:07.200000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "United States of America", "Hong Kong", "Singapore", "Brazil", "Japan", "China", "Iceland", "Poland", "Netherlands", "Sweden", "Mexico", "Australia", "Canada", "Norway", "Switzerland", "Italy", "Ireland", "Korea, Republic of", "Romania", "Russian Federation", "Israel", "United Kingdom of Great Britain and Northern Ireland", "Luxembourg", "Denmark", "Lithuania", "France", "Liechtenstein", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 529, "domain": 19, "hostname": 40 }, "indicator_count": 588, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-17T03:00:09.717000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 508638, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48210, "domain": 72684 }, "indicator_count": 120894, "is_author": false, "is_subscribing": null, "subscriber_count": 1699, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e05ec7e4706f72a771a396", "name": "DugganUSA Threat Intel 2026-04-16 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-16T04:00:07.813000", "created": "2026-04-16T04:00:07.813000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Korea, Republic of", "Singapore", "Hong Kong", "Germany", "Brazil", "Japan", "China", "Netherlands", "Iceland", "Poland", "Sweden", "Mexico", "Australia", "Canada", "Norway", "Switzerland", "Italy", "Ireland", "Romania", "Russian Federation", "Israel", "Spain", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Jordan", "Lithuania", "France", "Liechtenstein", "United Arab Emirates", "Belgium" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 615, "domain": 19, "hostname": 42 }, "indicator_count": 676, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69df0d676d7404f7fe08497c", "name": "DugganUSA Threat Intel 2026-04-15 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-15T04:00:38.993000", "created": "2026-04-15T04:00:38.993000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Malaysia", "Netherlands", "United States of America", "Belgium", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Cambodia", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Hong Kong", "Singapore", "Germany", "Brazil", "China", "Iceland", "Poland", "Pakistan", "Sweden", "Mexico", "Australia", "Norway", "Switzerland", "Italy", "Ireland", "Romania", "Israel", "Spain", "Denmark", "Lithuania", "Liechtenstein", "France" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv6": 2, "IPv4": 738, "hostname": 41, "domain": 18 }, "indicator_count": 799, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ddbbc87e54f91f9125fbca", "name": "DugganUSA Threat Intel 2026-04-14 #2", "description": "Auto-blocked threat IPs with SSL certificate enrichment. Discovered by DugganUSA threat intelligence pipeline.", "modified": "2026-04-14T04:00:08.335000", "created": "2026-04-14T04:00:08.335000", "tags": [ "dugganusa", "auto-blocked", "ssl-enrichment", "threat-intel" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://www.abuseipdb.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Belgium", "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Russian Federation", "Serbia", "United Arab Emirates", "Korea, Republic of", "Canada", "India", "Hong Kong", "Singapore", "Germany", "Brazil", "China", "Iceland", "Poland", "Netherlands", "Pakistan", "Sweden", "Bulgaria", "Syrian Arab Republic", "Mexico", "Australia", "Norway", "Switzerland", "Italy", "Ireland", "Romania", "Israel", "Spain", "Uzbekistan", "Denmark", "Iraq", "Lithuania", "Liechtenstein", "France" ], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 674, "hostname": 42, "domain": 19 }, "indicator_count": 735, "is_author": false, "is_subscribing": null, "subscriber_count": 173, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cloudwaysapps.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cloudwaysapps.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776615340.1536367 }