{ "type": "Domain", "indicator": "codifiable.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/codifiable.com", "alexa": "http://www.alexa.com/siteinfo/codifiable.com", "indicator": "codifiable.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2899512158, "indicator": "codifiable.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 21, "pulses": [ { "id": "69e4e7cfdc3bb3cdffeecf7c", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:51.385000", "created": "2026-04-19T14:33:51.385000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e4e7c6ddf646eb4e645bd5", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:42.400000", "created": "2026-04-19T14:33:42.400000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c6ef61298b57cd7275728", "name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s", "description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.", "modified": "2026-03-25T07:05:10.628000", "created": "2026-02-23T15:15:02.857000", "tags": [ "ipv4", "http", "passive dns", "files domain", "united", "unknown ns", "for privacy", "ip address", "domain", "dynamicloader", "antivirus", "yara rule", "fe ff", "write c", "msvisualcpp60", "rsds", "e8 c8", "e8 a8", "ff e1", "unknown", "worm", "launch", "write", "explorer", "february", "push", "service", "files", "reverse dns", "america flag", "america asn", "url add", "otx logo", "all ipv4", "searc", "date checked", "server response", "results dec", "unknown soa", "present aug", "present oct", "present sep", "present nov", "moved", "error", "title", "win32mydoom feb", "aaaa", "name servers", "trojan", "servers", "virtool", "united states", "apple", "crlf line", "unicode text", "utf8", "ff d5", "ascii text", "ee fc", "suspicious", "music", "malware", "role title", "ttl value", ".cc", "d4 f5", "msvisualcpp2002", "msvisualcpp2005", "apple support", ".ch", "privaterelay", "pattern match", "ck id", "mitre att", "ck matrix", "href", "et info", "general", "local", "path", "click", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "present jun", "backdoor", "present may", "status", "ransom", "high", "medium", "windows", "tofsee", "loaderid", "lidfileupd", "localcfg", "rndhex", "stream", "delete", "emotet", "bot network", "mitm", "screenshot", "mimecast" ], "references": [ "http://apple.support.com/ht***** redirect", "https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8", "mac.store", "https://icloud.ch/cn/ipod-touch/", "https://icloud.ch/", "https://multicash.smbcgroup.com/gb/App/Authentication/Challenge", "https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/", "Redirect: schemas.microsoft.com", "apple.com(-inc.cc)", "oas-japac-domains-applecomputer.cn", "robert-aebi.appleid.com", "smtp2.icl-privaterelay.appleid.com", "http://audaxgroup.appleid.com/", "https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php", "iphonegermany.com", "api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud", "https://aspmx.l.google.com/", "api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com", "de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com", "http://www.icloud-sms-alert.com/", "monitoring.eurovision.net", "https://www.irby.com/iub-en/services/testing-and-monitoring", "monitor.kyos.ninja" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/IcedId.DI!MTB", "display_name": "Trojan:Win32/IcedId.DI!MTB", "target": "/malware/Trojan:Win32/IcedId.DI!MTB" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Worm:Win32/Bloored", "display_name": "Worm:Win32/Bloored", "target": "/malware/Worm:Win32/Bloored" }, { "id": "Win.Malware.Elenooka-6996044-0", "display_name": "Win.Malware.Elenooka-6996044-0", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6031, "hostname": 1971, "domain": 1125, "FileHash-SHA256": 1715, "email": 18, "FileHash-MD5": 317, "FileHash-SHA1": 164 }, "indicator_count": 11341, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686e17b1ac7253ec7e12f1e8", "name": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile", "description": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile | ImFurther investigation of familiar IoC\u2019s in Tethering T-mobile to iOS research. \n\nPalantir is the the Cyber Defense Firm that provides the weapons, man force, military, false arrest records ,reputation damage, the man who drove her off the road, constant stalking and the marketing of her music in other media.\n Realize this hot stock you\u2019re investing is a domestic and international terrorist organization. There are several\nPeople here being 24/7/365 monitored.\nThey have fulfillment centers from Amazon and can provide food to medicine, they have the entire military, all\ngovernment contracts and their own physicians. \n\n#malware #foundry #rip #palantir # twitter #paypalmafia #quasi #government # workerscompensation #law_enforcement # #jeffreyreimer #sabey #tsarabrashearslivesinourhearts", "modified": "2025-08-08T06:00:40.325000", "created": "2025-07-09T07:18:09.062000", "tags": [ "present jun", "united", "status", "present may", "present sep", "search", "date", "entries", "trojan", "name servers", "ransom", "twitter", "redacted for", "showing", "passive dns", "urls", "softlayer", "internet", "encrypt", "record value", "body", "service", "russia", "spain", "germany", "netherlands", "aaaa", "france", "virtool", "creation date", "expiration date", "servers", "hostname add", "pulse pulses", "files", "present aug", "ip address", "applenoc", "unknown ns", "next associated", "urls show", "date checked", "url hostname", "server response", "unknown aaaa", "secure server", "msie", "chrome", "moved", "title", "gmt content", "type", "pulse submit", "http", "hostname", "files domain", "files related", "pulses otx", "pulses", "related tags", "google safe", "indicator role", "title added", "active related", "url https", "dynamicloader", "write c", "windows nt", "wow64", "slcc2", "media center", "html", "as15169", "write", "xport", "copy", "guard", "malware", "suspicious", "next", "extraction", "data upload", "failed", "extri data", "include review", "exclude", "sugges", "stop x", "s data", "extr data", "extraction data", "enter soudcetdi", "ad tevdag", "cadad ad", "draie", "extri include", "review", "done", "levelblue", "exclude sugges", "uny inuuue", "find s", "typ hos", "script urls", "canada unknown", "script domains", "a domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 181, "FileHash-SHA1": 154, "FileHash-SHA256": 1857, "domain": 1424, "email": 13, "hostname": 1304, "URL": 4168, "CVE": 1, "SSLCertFingerprint": 4 }, "indicator_count": 9106, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a20ff8db3854e863dca324", "name": "Shared Modules | Hijacker | Masquerading", "description": "", "modified": "2024-02-12T04:01:56.040000", "created": "2024-01-13T04:22:16.961000", "tags": [ "filehashmd5", "no expiration", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "hostname", "expiration", "domain", "url https", "url http", "source", "stix", "email", "email abuse", "goreasonlimited", "cc no", "tompc", "sum35", "domain xn", "searchbox0", "domainname0", "view", "apple", "apple id", "hijacking", "masquerading", "exploit", "cams", "monitoring", "loki bot", "dns", "open ports", "malvertizing", "malware hosting", "apple script", "js user", "dga", "dga domains", "malware", "multiple_versions", "wagersta", "decode", "system information discovery", "decrypt", "evasion", "defense evasion", "emotet", "android", "ios", "wannacry", "trojan", "worm", "cyber threat", "benjamin", "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "contacted urls", "execution", "whois whois", "whois sslcert", "and china", "drop", "uchealth", "university of cincinnati health" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 2296, "FileHash-SHA256": 3362, "URL": 6191, "domain": 2033, "hostname": 3097, "email": 37, "CVE": 2 }, "indicator_count": 19719, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "798 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659d1aa9306d72c1c80b486a", "name": "hyundaitx.com | pegasus", "description": "", "modified": "2024-02-10T15:02:08.842000", "created": "2024-01-09T10:06:33.717000", "tags": [ "united", "creation date", "search", "date", "expiration date", "unknown", "as1680 cellcom", "israel unknown", "as11042 network", "scan endpoints", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 83, "domain": 788, "email": 8, "hostname": 137, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8 }, "indicator_count": 1040, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "799 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659261e2290ac1ecc5d9ca74", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:30.771000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4695, "domain": 2494, "hostname": 3547, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5841, "CIDR": 12, "email": 17 }, "indicator_count": 24220, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659261d5965b4824d1606cf9", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:17.262000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4719, "domain": 2497, "hostname": 3549, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5861, "CIDR": 12, "email": 17 }, "indicator_count": 24269, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65944b9812ea52ab41c0259d", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2024-01-02T17:44:56.709000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659127f3265ec6306b607faa", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-31T08:36:03.380000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658f967a4fc7ebe8021b9382", "name": "Mirai Apple Attack +", "description": "This is hard to make sense of. All calls, clicks on a DGA Domain masquerading as desired service, lands you on the radar of a faux service where in turn bad actors attack everything. Target, remotely hack, follow, smear your life, same victim auto populates 79%, no hunt for assaulter.\n I'm assuming to see it one must 1st be in a Botnet. We keep seeing the same targets but no preparator. \nShe said \"Life was busy, life was good; full of health and hope. Then one sunny October day... I'm still grateful but what happened my body, thoughts and the world around me? Where's God? Am I a criminally responsible for getting attacked?\"", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-30T04:03:06.598000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a971ab44409ecb7018428", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:54.823000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a9718ac97804d782cc16b", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:52.614000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6569984495dfed1b14e29217", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "Active iCloud monitoring by third party. Active cyber threat.\nFound in link on iOS device: p155-fmfmobile.icloud.com\nFraud services. No data, service, or legitimate carrier", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-01T08:24:36.293000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657099513dc9a827df6cd3c0", "name": "me.com", "description": "", "modified": "2023-12-06T15:54:56.053000", "created": "2023-12-06T15:54:56.053000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 566, "hostname": 219, "FileHash-SHA1": 30, "domain": 123, "URL": 508, "FileHash-MD5": 31 }, "indicator_count": 1477, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "643301d4b3a679c5d8321baa", "name": "me.com", "description": "holy granny crap", "modified": "2023-05-09T18:01:16.786000", "created": "2023-04-09T18:20:03.736000", "tags": [ "apple", "calender exploits" ], "references": [ "http://pv44p00ic-ztell07091901.me.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 508, "hostname": 219, "domain": 123, "FileHash-SHA256": 566, "FileHash-MD5": 31, "FileHash-SHA1": 30 }, "indicator_count": 1477, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1076 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "https://dc-mx.d3525d602ca2.pixelrz.com", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "103.246.145.111 - scanning host", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "https://aspmx.l.google.com/", "fmfmobile.fe.apple-dns.net", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "192.229.211.108 [Tracking & Virus Network]", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "http://audaxgroup.appleid.com/", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "https://icloud.ch/", "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "images.ctfassets.net", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "apple.com(-inc.cc)", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php", "monitor.kyos.ninja", "103.246.145.111 phishing", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Redirect: schemas.microsoft.com", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "https://icloud.ch/cn/ipod-touch/", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com", "iphonegermany.com", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "https://tulach.cc/", "me.com [Pegasus]", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "T1110.001 (Brute Force: Password Guessing)", "https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/", "https://twitter.com/PORNO_SEXYBABES", "as15169", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86", "00000000.apple.com | remote SIM Swap", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "nr-data.net | Apple Private Data collection", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "http://gmpg.org/xfn/11 [HTTrack]", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://notredamewormhoutnet.appleid.com/", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "robert-aebi.appleid.com", "applestore.net", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "https://www.irby.com/iub-en/services/testing-and-monitoring", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "Resource: https://urlscan.io/domain/privaterelay.appleid.com", "smtp2.icl-privaterelay.appleid.com", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "a-poster.info", "CNC Hostname: urlspirit.spiritsoft.cn", "de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com", "Verification failure observed in automated verification handlers during sandbox replay.", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "http://certs.apple.com/appleistca2g1_bc.cer", "https://multicash.smbcgroup.com/gb/App/Authentication/Challenge", "http://apple.support.com/ht***** redirect", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "nr-data.net [Apple Private Data Collection]", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "\u2193Command and Control \u2193", "news-publisher.pictures", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "http://www.icloud-sms-alert.com/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "airinthemorning.net", "Obfuscation: XOR-based String Encryption (0x20)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "monitoring.eurovision.net", "37.1.217.172 [scanning host]", "oas-japac-domains-applecomputer.cn", "http://pv44p00ic-ztell07091901.me.com/", "developer.huawei.com", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "p155-fmfmobile.icloud.com", "mac.store" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act" ], "malware_families": [ "Mydoom", "Pegasus for ios - s0289", "Tulach", "Quasar rat", "Icefog", "Tofsee", "Swrort", "Formbook", "Systweak", "Ratel", "Wacatac.", "Malware family: stealthworker / gobrut", "Blacknet", "Tiggre", "Nircmd", "Softcnapp", "Zeus", "Trojan:win32/icedid.di!mtb", "Sabey", "Worm:win32/bloored", "Pegasus - mob-s0005", "Bambernek", "Win.malware.elenooka-6996044-0", "Union", "Fusioncore", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Xrat", "Appleservice", "Hallrender", "Trojan.mirai/genericrxui", "Zbot", "Pegasus for android - mob-s0032", "Win:zgrat", "Noname057", "Emotet", "Trojan", "Kraddare", "Tinba", "Suppobox", "Cobalt strike", "Virus:dos/nanjing", "Networm", "Redline", "Trojan.agensla/msil" ], "industries": [ "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 21, "pulses": [ { "id": "69e4e7cfdc3bb3cdffeecf7c", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:51.385000", "created": "2026-04-19T14:33:51.385000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e4e7c6ddf646eb4e645bd5", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:42.400000", "created": "2026-04-19T14:33:42.400000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c6ef61298b57cd7275728", "name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s", "description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.", "modified": "2026-03-25T07:05:10.628000", "created": "2026-02-23T15:15:02.857000", "tags": [ "ipv4", "http", "passive dns", "files domain", "united", "unknown ns", "for privacy", "ip address", "domain", "dynamicloader", "antivirus", "yara rule", "fe ff", "write c", "msvisualcpp60", "rsds", "e8 c8", "e8 a8", "ff e1", "unknown", "worm", "launch", "write", "explorer", "february", "push", "service", "files", "reverse dns", "america flag", "america asn", "url add", "otx logo", "all ipv4", "searc", "date checked", "server response", "results dec", "unknown soa", "present aug", "present oct", "present sep", "present nov", "moved", "error", "title", "win32mydoom feb", "aaaa", "name servers", "trojan", "servers", "virtool", "united states", "apple", "crlf line", "unicode text", "utf8", "ff d5", "ascii text", "ee fc", "suspicious", "music", "malware", "role title", "ttl value", ".cc", "d4 f5", "msvisualcpp2002", "msvisualcpp2005", "apple support", ".ch", "privaterelay", "pattern match", "ck id", "mitre att", "ck matrix", "href", "et info", "general", "local", "path", "click", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "present jun", "backdoor", "present may", "status", "ransom", "high", "medium", "windows", "tofsee", "loaderid", "lidfileupd", "localcfg", "rndhex", "stream", "delete", "emotet", "bot network", "mitm", "screenshot", "mimecast" ], "references": [ "http://apple.support.com/ht***** redirect", "https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8", "mac.store", "https://icloud.ch/cn/ipod-touch/", "https://icloud.ch/", "https://multicash.smbcgroup.com/gb/App/Authentication/Challenge", "https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/", "Redirect: schemas.microsoft.com", "apple.com(-inc.cc)", "oas-japac-domains-applecomputer.cn", "robert-aebi.appleid.com", "smtp2.icl-privaterelay.appleid.com", "http://audaxgroup.appleid.com/", "https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php", "iphonegermany.com", "api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud", "https://aspmx.l.google.com/", "api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com", "de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com", "http://www.icloud-sms-alert.com/", "monitoring.eurovision.net", "https://www.irby.com/iub-en/services/testing-and-monitoring", "monitor.kyos.ninja" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/IcedId.DI!MTB", "display_name": "Trojan:Win32/IcedId.DI!MTB", "target": "/malware/Trojan:Win32/IcedId.DI!MTB" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Worm:Win32/Bloored", "display_name": "Worm:Win32/Bloored", "target": "/malware/Worm:Win32/Bloored" }, { "id": "Win.Malware.Elenooka-6996044-0", "display_name": "Win.Malware.Elenooka-6996044-0", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6031, "hostname": 1971, "domain": 1125, "FileHash-SHA256": 1715, "email": 18, "FileHash-MD5": 317, "FileHash-SHA1": 164 }, "indicator_count": 11341, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686e17b1ac7253ec7e12f1e8", "name": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile", "description": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile | ImFurther investigation of familiar IoC\u2019s in Tethering T-mobile to iOS research. \n\nPalantir is the the Cyber Defense Firm that provides the weapons, man force, military, false arrest records ,reputation damage, the man who drove her off the road, constant stalking and the marketing of her music in other media.\n Realize this hot stock you\u2019re investing is a domestic and international terrorist organization. There are several\nPeople here being 24/7/365 monitored.\nThey have fulfillment centers from Amazon and can provide food to medicine, they have the entire military, all\ngovernment contracts and their own physicians. \n\n#malware #foundry #rip #palantir # twitter #paypalmafia #quasi #government # workerscompensation #law_enforcement # #jeffreyreimer #sabey #tsarabrashearslivesinourhearts", "modified": "2025-08-08T06:00:40.325000", "created": "2025-07-09T07:18:09.062000", "tags": [ "present jun", "united", "status", "present may", "present sep", "search", "date", "entries", "trojan", "name servers", "ransom", "twitter", "redacted for", "showing", "passive dns", "urls", "softlayer", "internet", "encrypt", "record value", "body", "service", "russia", "spain", "germany", "netherlands", "aaaa", "france", "virtool", "creation date", "expiration date", "servers", "hostname add", "pulse pulses", "files", "present aug", "ip address", "applenoc", "unknown ns", "next associated", "urls show", "date checked", "url hostname", "server response", "unknown aaaa", "secure server", "msie", "chrome", "moved", "title", "gmt content", "type", "pulse submit", "http", "hostname", "files domain", "files related", "pulses otx", "pulses", "related tags", "google safe", "indicator role", "title added", "active related", "url https", "dynamicloader", "write c", "windows nt", "wow64", "slcc2", "media center", "html", "as15169", "write", "xport", "copy", "guard", "malware", "suspicious", "next", "extraction", "data upload", "failed", "extri data", "include review", "exclude", "sugges", "stop x", "s data", "extr data", "extraction data", "enter soudcetdi", "ad tevdag", "cadad ad", "draie", "extri include", "review", "done", "levelblue", "exclude sugges", "uny inuuue", "find s", "typ hos", "script urls", "canada unknown", "script domains", "a domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 181, "FileHash-SHA1": 154, "FileHash-SHA256": 1857, "domain": 1424, "email": 13, "hostname": 1304, "URL": 4168, "CVE": 1, "SSLCertFingerprint": 4 }, "indicator_count": 9106, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a20ff8db3854e863dca324", "name": "Shared Modules | Hijacker | Masquerading", "description": "", "modified": "2024-02-12T04:01:56.040000", "created": "2024-01-13T04:22:16.961000", "tags": [ "filehashmd5", "no expiration", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "hostname", "expiration", "domain", "url https", "url http", "source", "stix", "email", "email abuse", "goreasonlimited", "cc no", "tompc", "sum35", "domain xn", "searchbox0", "domainname0", "view", "apple", "apple id", "hijacking", "masquerading", "exploit", "cams", "monitoring", "loki bot", "dns", "open ports", "malvertizing", "malware hosting", "apple script", "js user", "dga", "dga domains", "malware", "multiple_versions", "wagersta", "decode", "system information discovery", "decrypt", "evasion", "defense evasion", "emotet", "android", "ios", "wannacry", "trojan", "worm", "cyber threat", "benjamin", "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "contacted urls", "execution", "whois whois", "whois sslcert", "and china", "drop", "uchealth", "university of cincinnati health" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 2296, "FileHash-SHA256": 3362, "URL": 6191, "domain": 2033, "hostname": 3097, "email": 37, "CVE": 2 }, "indicator_count": 19719, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "798 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "codifiable.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "codifiable.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776677508.6388464 }