{
"type": "Domain",
"indicator": "copilot-cloud.net",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/copilot-cloud.net",
"alexa": "http://www.alexa.com/siteinfo/copilot-cloud.net",
"indicator": "copilot-cloud.net",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 4124580583,
"indicator": "copilot-cloud.net",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69a73e8545dc6a32312482a1",
"name": "Silver Dragon Targets Organizations in Southeast Asia and Europe",
"description": "Check Point Research has identified a Chinese-nexus advanced persistent threat group named Silver Dragon, targeting organizations in Southeast Asia and Europe since mid-2024. The group, likely operating under APT41, exploits public-facing servers and uses phishing emails for initial access. They deploy custom tools including GearDoor, a backdoor using Google Drive for command and control, SSHcmd for remote access, and SilverScreen for covert screen monitoring. Silver Dragon primarily focuses on government entities, utilizing Cobalt Strike beacons and DNS tunneling for communication. The group's sophisticated tactics and evolving toolkit demonstrate a well-resourced and adaptable threat actor.",
"modified": "2026-03-04T11:07:57.364000",
"created": "2026-03-03T20:03:17.234000",
"tags": [
"apt",
"southeast asia",
"chinese",
"silverscreen",
"geardoor",
"dns tunneling",
"cobalt strike",
"government",
"sshcmd"
],
"references": [
"https://research.checkpoint.com/2026/silver-dragon-targets-organizations-in-southeast-asia-and-europe/"
],
"public": 1,
"adversary": "Silver Dragon",
"targeted_countries": [],
"malware_families": [
{
"id": "GearDoor",
"display_name": "GearDoor",
"target": null
},
{
"id": "SilverScreen",
"display_name": "SilverScreen",
"target": null
},
{
"id": "SSHcmd",
"display_name": "SSHcmd",
"target": null
},
{
"id": "Cobalt Strike - S0154",
"display_name": "Cobalt Strike - S0154",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1021.004",
"name": "SSH",
"display_name": "T1021.004 - SSH"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1078",
"name": "Valid Accounts",
"display_name": "T1078 - Valid Accounts"
},
{
"id": "T1102.002",
"name": "Bidirectional Communication",
"display_name": "T1102.002 - Bidirectional Communication"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1059.003",
"name": "Windows Command Shell",
"display_name": "T1059.003 - Windows Command Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "AlienVault",
"id": "2",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png",
"is_subscribed": true,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 1,
"FileHash-SHA256": 31,
"domain": 12,
"hostname": 3
},
"indicator_count": 49,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 377485,
"modified_text": "45 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bbb27ef79369f1b24cd171",
"name": "EbeeMar2026 Pt2",
"description": "Multiple APT/threat actors, Malware and Campaigns",
"modified": "2026-04-18T08:06:12.483000",
"created": "2026-03-19T08:23:26.711000",
"tags": [
"filehashsha256",
"filehashsha1",
"filehashmd5",
"bitcoinaddress"
],
"references": [
"IOCs.2026.2.csv"
],
"public": 1,
"adversary": "Gentlemen Ransomware, Ruby Jumper, Moonrise RAT, Dust Specter, NoEscape, Ransom House, Steaelite",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "IMEBEEIMFINE",
"id": "343873",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 93,
"FileHash-MD5": 157,
"FileHash-SHA1": 150,
"FileHash-SHA256": 268,
"CVE": 5,
"domain": 135,
"email": 1,
"hostname": 42
},
"indicator_count": 851,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 37,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a3c685d4b7c139ffe62930",
"name": "Clone Pulse Reference",
"description": "",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-03-01T04:54:29.384000",
"tags": [
"ipv4",
"active related",
"trojandropper",
"mtb jun",
"lowfi",
"trojan",
"mtb jan",
"fastly error",
"please",
"united",
"ttl value",
"get na",
"total",
"delete",
"search",
"yara detections",
"sinkhole cookie",
"value snkz",
"write",
"suspicious",
"ransom",
"malware",
"Ransom.Win32.Birele.gsg Checkin",
"AnubisNetworks Sinkhole Cookie Value Snkz",
"Possible Compromised Host",
"dynamicloader",
"delete c",
"default",
"medium",
"write c",
"settingswpad",
"intel",
"ms windows",
"users",
"number",
"title",
"installer",
"top source",
"top destination",
"source source",
"port",
"filehash",
"av detections",
"ids detections",
"yara rule",
"gravityrat",
"detectvm",
"x00 x00",
"x00x00",
"doviacmd",
"rootjob",
"getfiles",
"updateserver",
"ethernetid",
"ids signatures",
"exploits",
"sid name",
"malware cve",
"dns query",
"dnsbin demo",
"data exfil",
"exif data",
"DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr",
"DNSBin Demo (requestbin .net) - Data Exfitration",
"source port",
"destination",
"present sep",
"script urls",
"script script",
"a domains",
"script domains",
"ip address",
"meta",
"present nov",
"passive dns",
"next associated",
"domain add",
"pe executable",
"entries",
"show",
"msie",
"windows nt",
"wow64",
"copy",
"present jan",
"present feb",
"domain",
"pulse pulses",
"urls",
"files",
"tam legal",
"christopher ahmann",
"https://unicef.se/assets/apple",
"treece alfrey",
"hours ago",
"information",
"report spam",
"ahmann colorado",
"state",
"special cousel",
"created",
"expiro",
"capture"
],
"references": [
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"Fastly Error and Palantir blocked several times over the last few months.",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"https://unicef.se/assets/apple"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Neconyd.A",
"display_name": "Trojan:Win32/Neconyd.A",
"target": "/malware/Trojan:Win32/Neconyd.A"
},
{
"id": "PWS:Win32/QQpass.FC",
"display_name": "PWS:Win32/QQpass.FC",
"target": "/malware/PWS:Win32/QQpass.FC"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Urelas-9863836-0",
"display_name": "Win.Malware.Urelas-9863836-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Win.Trojan.Vundo-7170412-0",
"display_name": "Win.Trojan.Vundo-7170412-0",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Multiple Malware\u2019s , Trojans and Rats",
"display_name": "Multiple Malware\u2019s , Trojans and Rats",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6906bd99cadbd4140014c6af",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 909,
"domain": 454,
"hostname": 1404,
"URL": 3557,
"CIDR": 1,
"FileHash-MD5": 242,
"FileHash-SHA1": 185,
"email": 1,
"CVE": 1
},
"indicator_count": 6754,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ca31b28c2fa3e734bf5000",
"name": "instagram staged credit clone a vashti :(",
"description": "",
"modified": "2026-03-31T12:16:21.521000",
"created": "2026-03-30T08:17:54.205000",
"tags": [
"dynamicloader",
"port",
"destination",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"loaderid",
"write",
"stream",
"malware",
"systemroot",
"write c",
"displayname",
"windows",
"trojan",
"defender",
"unknown",
"less see",
"all ip",
"contacted",
"less related",
"meta",
"emotet",
"backdoor",
"packer",
"many",
"hall render",
"brian sabey",
"christopher p. ahmann",
"state of colorado",
"google",
"yahoo",
"microsoft",
"stealth window",
"reads_self",
"injection write process",
"remote",
"remote process",
"dynamic function loading",
"compromises device",
"dead connect",
"dynamic loader",
"command",
"cnc",
"sleep sandbox",
"iocontrol",
"behavior tofsee",
"suspicious code",
"injection",
"persistence",
"rootkit",
"social media",
"belgium belgium",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"network traffic",
"t1071",
"spawns",
"html content",
"href",
"general",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"development att",
"tracking"
],
"references": [
"Instagram.com",
"IDS Detections: tofsee",
"Alerts antivm_generic_services persistence_ads anomalous_deletefile Idead_connect",
"Alerts: suspicious_tld queries_computer_name dynamic_function_loading",
"Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
"IP\u2019s Contacted: 94.100.180.31 142.251.9.27 98.136.96.91 43.231.4.7 52.101.8.42",
"Domains Contacted microsoft.com microsoft-com.mail.protection.outlook.com yahoo.com mta7.am0.yahoodns.net google.com",
"Brian Sabey , Christopher P. Ahmann , State of Colorado who",
"http://tracking-sa3.account.riyadhair.com/tracking/1/open/UGnB4w8RQiQ_9PYty4S-rwBmOetPQw3ubFHSNKg_IdhZfkaCbjqN3pnR4Xwk6pQcRBqF2aoq0uEaKMM4CX1kTpZsAD10-fxAPEgqGzJ2o7BJmsh_G2B6P-m_Xqc_LOycbcGBss0kXIEJvMGRw2SMITzqmVnh1yI_FuZV37qgGHZG3lP1V-WMaNTc8FYNIcgSRyTFamC5k3I1LkpsmTgX5Dd20Ko3IxUqFRC74clpVo-uFwRAb1Q1gSfKrDBX6_LaXkgv9gfyPy7L2BKxAmFBe-Ump3D_wGRDTXekPO5VZJ46hn0pUrOy2g8606kgb703eJVnmrz0cgCd-8P1dOdfoOFrSqOuXzfDNCaUU-2xl1aHVjGCZGIWX6B4bYqznMqsvI8UxoitF5tZTZ3opRhymDkrsItHdJPUnzkc6N_Z370RVT54BihKCohH14lIRQVQN9v74E",
"Looks like a Pegasus tracking sphere. All contacts and contacts, contacts tracked."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Emotet.YL",
"display_name": "Trojan:Win32/Emotet.YL",
"target": "/malware/Trojan:Win32/Emotet.YL"
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6949b6d8180bca3df9783578",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 911,
"domain": 178,
"hostname": 206,
"FileHash-SHA256": 647,
"FileHash-MD5": 38,
"FileHash-SHA1": 28
},
"indicator_count": 2008,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698ef344417f9985660e698b",
"name": "Pulse Data",
"description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.",
"modified": "2026-03-28T07:23:23.210000",
"created": "2026-02-13T09:47:48.788000",
"tags": [
"imphash",
"file type",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections tls",
"zeppelin"
],
"references": [
"",
"4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access "
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 646,
"FileHash-SHA1": 604,
"FileHash-SHA256": 1373,
"hostname": 1143,
"domain": 1381,
"URL": 2537,
"CVE": 101,
"email": 25,
"SSLCertFingerprint": 9
},
"indicator_count": 7819,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e906da16336f8e87c3b90",
"name": "CoinHive Clone ",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-13T02:46:05.544000",
"tags": [
"united",
"td tr",
"a domains",
"history group",
"state",
"b td",
"present sep",
"find",
"alabama",
"iowa",
"apache",
"content type",
"passive dns",
"meta http",
"content",
"gmt server",
"pragma",
"title",
"linksys eseries",
"device rce",
"inbound",
"et exploit",
"attempt",
"et webserver",
"suspicious user",
"user agent",
"et worm",
"policy python",
"python",
"agent",
"generic",
"malware",
"nids",
"dst_ip",
"\"sid\": 2017515,",
"2020/08/23",
"dst_port\": 8080",
"suricata",
"network_icmp",
"tcp_syn_scan",
"unix",
"mirai",
"infection",
"port 8080",
"aitm",
"mitm",
"xfinity",
"lumen backbone",
"xfinity cf",
"et info",
"useragent",
"webserver",
"android",
"linux",
"statistically stripped",
"local",
"Jefferson County",
"Colorado",
"State",
"is__elf",
"is__war",
"cyber warfare",
"marking",
"targeting",
"stalking",
"impersonating",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"initial access",
"defense evasion",
"mitre att",
"ck matrix",
"february",
"hybrid",
"general",
"path",
"encrypt",
"click",
"strings",
"attack",
"ssl certificate",
"ascii text",
"dynamicloader",
"yara rule",
"ff d5",
"medium",
"high",
"eb d8",
"f0 ff",
"ff bb",
"host",
"unknown",
"explorer",
"virtool",
"write",
"next",
"Douglas County",
"Michael Roberts",
"Brian Sabey",
"Chris\u2019Buzz\u2019 Ahmann",
"Mirai BotMaster",
"file type",
"pexe",
"pe32",
"intel",
"ms windows",
"date march",
"am size",
"imphash",
"otx logo",
"all filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"moved",
"urls",
"expiration date",
"all hostname",
"files",
"media",
"present feb",
"present jan",
"present dec",
"present nov",
"ip address",
"present",
"codex",
"sf.net",
"next associated",
"ipv4 add",
"location united",
"america flag",
"spawns",
"found",
"t1480 execution",
"pattern match",
"present aug",
"search",
"name servers",
"showing",
"record value",
"meta",
"accept",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"denver",
"yandex",
"post",
"entries",
"post http",
"show",
"post liquor",
"execution",
"port",
"destination",
"icmp traffic",
"dns query",
"include",
"top source"
],
"references": [
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"genealogytrails.com",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"Has been present throughout a specific campaign",
"Mirai",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"TCP SYN packets were observed",
"ET WORM TheMoon.linksys.router",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7646352-0",
"display_name": "Unix.Trojan.Mirai-7646352-0",
"target": null
},
{
"id": "SpyFu",
"display_name": "SpyFu",
"target": null
},
{
"id": "Win.Trojan.VB-83922",
"display_name": "Win.Trojan.VB-83922",
"target": null
},
{
"id": "virtool:Win32/VBInject.gen!JB",
"display_name": "virtool:Win32/VBInject.gen!JB",
"target": "/malware/virtool:Win32/VBInject.gen!JB"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "698966742c9fd9691396bb3a",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5836,
"domain": 857,
"FileHash-MD5": 185,
"FileHash-SHA1": 147,
"hostname": 1842,
"email": 7,
"FileHash-SHA256": 947,
"CVE": 43,
"SSLCertFingerprint": 8
},
"indicator_count": 9872,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b49ad5dd40a24d83cd6a72",
"name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-03-13T23:16:37.716000",
"created": "2026-03-13T23:16:37.716000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69631fbd16e306ee2b76c4da",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b496396ca4987e95ad37d1",
"name": "Chris Buzz by QVashni (wow)",
"description": "",
"modified": "2026-03-13T22:56:57.314000",
"created": "2026-03-13T22:56:57.314000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69482caa00d327da8f0a87bc",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b49587dd104e342dda1628",
"name": "C Ahman Attorney Clone by Top Tier, Q.Vashti",
"description": "",
"modified": "2026-03-13T22:53:59.112000",
"created": "2026-03-13T22:53:59.112000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698966742c9fd9691396bb3a",
"name": "CoinHive In-Browser Miner | ET EXPLOIT Linksys E-Series Device RCE Attempt via \u2018AI chat\u2019 Xfinity Commercial Fleet vehicle parked /AITM",
"description": "Merits further research. Work no is consistent with a man advocate named Michael\nRoberts of Rexxfield and Miles2/ Mile2 / seen frequently in attacks against females | targeted individual apparently was using an AI browser search when a keyword triggered glitches.\nSearch of a URL\ntarget has never heard of or seen found in device search results. Targets device injected, Mirai botnet found, Other suspicious findings. TBConrinued..:.\n[OTX. Auto populated Significantly more details have been revealed about the GoDaddy.com domain, which has been listed as an unregistered domain by the Internet Service Authority (icann). and its users are not allowed to use it.] #man_jn_tve_midxle #drive_ by_compromise #injection.",
"modified": "2026-03-11T04:02:50.189000",
"created": "2026-02-09T04:45:40.250000",
"tags": [
"united",
"td tr",
"a domains",
"history group",
"state",
"b td",
"present sep",
"find",
"alabama",
"iowa",
"apache",
"content type",
"passive dns",
"meta http",
"content",
"gmt server",
"pragma",
"title",
"linksys eseries",
"device rce",
"inbound",
"et exploit",
"attempt",
"et webserver",
"suspicious user",
"user agent",
"et worm",
"policy python",
"python",
"agent",
"generic",
"malware",
"nids",
"dst_ip",
"\"sid\": 2017515,",
"2020/08/23",
"dst_port\": 8080",
"suricata",
"network_icmp",
"tcp_syn_scan",
"unix",
"mirai",
"infection",
"port 8080",
"aitm",
"mitm",
"xfinity",
"lumen backbone",
"xfinity cf",
"et info",
"useragent",
"webserver",
"android",
"linux",
"statistically stripped",
"local",
"Jefferson County",
"Colorado",
"State",
"is__elf",
"is__war",
"cyber warfare",
"marking",
"targeting",
"stalking",
"impersonating",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"initial access",
"defense evasion",
"mitre att",
"ck matrix",
"february",
"hybrid",
"general",
"path",
"encrypt",
"click",
"strings",
"attack",
"ssl certificate",
"ascii text",
"dynamicloader",
"yara rule",
"ff d5",
"medium",
"high",
"eb d8",
"f0 ff",
"ff bb",
"host",
"unknown",
"explorer",
"virtool",
"write",
"next",
"Douglas County",
"Michael Roberts",
"Brian Sabey",
"Chris\u2019Buzz\u2019 Ahmann",
"Mirai BotMaster",
"file type",
"pexe",
"pe32",
"intel",
"ms windows",
"date march",
"am size",
"imphash",
"otx logo",
"all filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"moved",
"urls",
"expiration date",
"all hostname",
"files",
"media",
"present feb",
"present jan",
"present dec",
"present nov",
"ip address",
"present",
"codex",
"sf.net",
"next associated",
"ipv4 add",
"location united",
"america flag",
"spawns",
"found",
"t1480 execution",
"pattern match",
"present aug",
"search",
"name servers",
"showing",
"record value",
"meta",
"accept",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"denver",
"yandex",
"post",
"entries",
"post http",
"show",
"post liquor",
"execution",
"port",
"destination",
"icmp traffic",
"dns query",
"include",
"top source"
],
"references": [
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"genealogytrails.com",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"Has been present throughout a specific campaign",
"Mirai",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"TCP SYN packets were observed",
"ET WORM TheMoon.linksys.router",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7646352-0",
"display_name": "Unix.Trojan.Mirai-7646352-0",
"target": null
},
{
"id": "SpyFu",
"display_name": "SpyFu",
"target": null
},
{
"id": "Win.Trojan.VB-83922",
"display_name": "Win.Trojan.VB-83922",
"target": null
},
{
"id": "virtool:Win32/VBInject.gen!JB",
"display_name": "virtool:Win32/VBInject.gen!JB",
"target": "/malware/virtool:Win32/VBInject.gen!JB"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5779,
"domain": 730,
"FileHash-MD5": 185,
"FileHash-SHA1": 147,
"hostname": 1790,
"email": 5,
"FileHash-SHA256": 947,
"CVE": 3,
"SSLCertFingerprint": 8
},
"indicator_count": 9594,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "39 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698037098c99c37cb91037c2",
"name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple",
"description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann",
"modified": "2026-03-04T04:07:14.513000",
"created": "2026-02-02T05:32:57.303000",
"tags": [
"no expiration",
"filehashsha256",
"ipv4",
"url http",
"domain",
"hostname",
"filehashmd5",
"filehashsha1",
"iocs",
"url https",
"search",
"type indicator",
"review iocs",
"role title",
"create new",
"pulse use",
"pdf report",
"pcap",
"extraction",
"sc data",
"extre data",
"include review",
"exclude sugges",
"data upload",
"failed",
"find s",
"oo data",
"enter source",
"url or",
"text drag",
"expiration",
"showing",
"entries",
"protect",
"pulse show",
"email abuse",
"related pulses",
"indicator role",
"returnurl no",
"drop",
"pulse provide",
"public tlp",
"green",
"adversary tags",
"buzz",
"x8664",
"add tag",
"groups add",
"add industry",
"trojan",
"tags"
],
"references": [
"https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9",
"www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250",
"Antivirus Detections: Trojan:Win32/Dorv.A",
"IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)",
"IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup",
"IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check",
"IDS Detections: Domain (whatismyipaddress .com in HTTP Host)",
"Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key",
"Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location",
"Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile",
"Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed",
"Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http",
"IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80",
"IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75",
"Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca",
"Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com",
"Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org",
"Antivirus Detections: Win.Malware.Pits-10035540-0",
"Yara: Detections Delphi",
"Alerts: infostealer_cookies antiav_detectfile",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022",
"http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/",
"http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe",
"http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/",
"http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt",
"output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]",
"https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary",
"https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a",
"https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf",
"https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423",
"https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9",
"apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022",
"https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022",
"http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022",
"https://cpcontacts.apple4you.it",
"AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference",
"adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com",
"https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest",
"https://fs25.mygamesteam.com/download/underground-parking/",
"http://spiritzuridgerunelahubcloudgusparkx.rest/",
"127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies",
"9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB",
"ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB",
"IDS Detections: Suspicious Activity potential UPnProxy",
"Yara Detections: is__elf , ECHOBOT",
"Alerts: dead_host network_icmp tcp_by",
"Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT",
"TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169",
"TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335",
"TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown",
"TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud",
"TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks",
"TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination",
"TAGS: detection detections detections name development att direct dirty dns resolutions domain",
"TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att",
"TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip",
"TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver",
"TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey",
"TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec",
"TAGS: mtb yara name servers name tactics network traffic new browser next associated next",
"TAGS: yara niggercat none file null object os x outbound passive dns path pattern match",
"TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push",
"TAGS: pyspark python python initiated quic ransom recipes record value redacted for",
"TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner",
"TAGS: sample analysis se domains search security quic add source level span spawns spy",
"TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation",
"TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater",
"TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Hungary"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "DDos:Linux/Gafgyt.YA!MTB",
"display_name": "DDos:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDos:Linux/Gafgyt.YA!MTB"
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Pykspa.C",
"display_name": "Pykspa.C",
"target": null
},
{
"id": "Trojan:Win32/Dorv.A",
"display_name": "Trojan:Win32/Dorv.A",
"target": "/malware/Trojan:Win32/Dorv.A"
},
{
"id": "Unix.Trojan.Gafgyt-698115",
"display_name": "Unix.Trojan.Gafgyt-698115",
"target": null
},
{
"id": "4-0 Win.Malware.Pits-10035540-0",
"display_name": "4-0 Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Packed.Usteal-7531303-0",
"display_name": "Win.Packed.Usteal-7531303-0",
"target": null
},
{
"id": "tR",
"display_name": "tR",
"target": null
},
{
"id": "DeathHiddenTear (Large&Small HT) >",
"display_name": "DeathHiddenTear (Large&Small HT) >",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1586,
"FileHash-SHA1": 1479,
"FileHash-SHA256": 1938,
"URL": 4548,
"domain": 1052,
"hostname": 2501,
"email": 9,
"SSLCertFingerprint": 7,
"CIDR": 2
},
"indicator_count": 13122,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "46 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a79b47a0ec8bb37b7b620d",
"name": "IOC - Silver Dragon Targets Organizations in Southeast Asia and Europe",
"description": "In recent months, Check Point Research (CPR) has been tracking a sophisticated, Chinese-aligned threat group whose activity demonstrates operational correlation with campaigns previously associated with APT41. We have designated this activity cluster as Silver Dragon. This group actively targets organizations in Southeast Asia and Europe, with a particular focus on government entities. Silver Dragon employs a range of initial access techniques, primarily relying on the exploitation of public facing servers, and more recently, email-based phishing campaigns.",
"modified": "2026-03-04T02:39:03.965000",
"created": "2026-03-04T02:39:03.965000",
"tags": [
"c2 domain",
"install bat",
"bamboloader",
"monikerloader",
"phishing lnk",
"geardoor",
"silverscreen",
"domain"
],
"references": [
"https://research.checkpoint.com/2026/silver-dragon-targets-organizations-in-southeast-asia-and-europe/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "celestre",
"id": "295357",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 12,
"FileHash-SHA1": 12,
"FileHash-SHA256": 31,
"domain": 12
},
"indicator_count": 67,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "46 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a772d9345d4469006f19aa",
"name": "Silver Dragon Campaign Against Government and Critical Sectors",
"description": "Researchers at Check Point Research have tracked Silver Dragon a China\naligned APT targeting government and organizational entities in Southeast\nAsia and Europe.",
"modified": "2026-03-03T23:46:33.682000",
"created": "2026-03-03T23:46:33.682000",
"tags": [
"install bat",
"bamboloader",
"monikerloader",
"phishing lnk",
"silverscreen",
"geardoor"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "cryptocti",
"id": "110256",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 31,
"domain": 12
},
"indicator_count": 45,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 486,
"modified_text": "46 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "697cdce9ec418c422eee2054",
"name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019",
"description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.",
"modified": "2026-03-01T16:05:57.375000",
"created": "2026-01-30T16:31:37.011000",
"tags": [
"url https",
"url http",
"tlsv1",
"whitelisted",
"united",
"read c",
"as15169",
"stcalifornia",
"execution",
"dock",
"write",
"persistence",
"malware",
"encrypt",
"active",
"lumen technologies",
"number",
"error",
"regexp",
"sxa0",
"amptoken",
"optout",
"retrieving",
"notfound",
"unknown",
"form",
"flash",
"backdoor",
"writeconsolew",
"yara detections",
"command line",
"pdb path",
"pe resource",
"internalname",
"windows command",
"A",
"aws",
"name servers",
"url analysis",
"passive dns",
"urls",
"data upload",
"extraction",
"palantir",
"c2",
"aerospace",
"tracking",
"spywatchdog",
"palapa-c2",
"communications satellite",
"amazon",
"hughesnet",
"icmp traffic",
"washington c",
"washington ou",
"mopr",
"mon jul",
"local",
"dynamic",
"apple",
"network",
"t1057",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1480",
"guardrails",
"t1566",
"present jan",
"unknown ns",
"ip address",
"dnssec",
"domain",
"dynamic dns",
"government",
"pcup",
"germany unknown",
"link",
"dns hosting",
"cloudns",
"cloud dns",
"a domains",
"ipv4 add",
"title",
"meta",
"class",
"servers",
"present aug",
"aaaa",
"present sep",
"present nov",
"present jul",
"present may",
"moved",
"canada unknown",
"begin",
"record value",
"gmt content",
"type",
"hostname add",
"files",
"ascii text",
"pattern match",
"href",
"mitre att",
"ck id",
"ck matrix",
"network traffic",
"et info",
"general",
"path",
"click",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"adversaries",
"input url",
"defense evasion",
"france",
"ireland",
"netherlands",
"denmark",
"united kingdom",
"type indicator",
"role title",
"added active",
"savvis",
"centurylinktechnology",
"hybrid analysis",
"monitoring tools",
"monitored target",
"triangulation",
"worm",
"intel",
"ms windows",
"pe32",
"write c",
"delete c",
"show",
"russia as47764",
"unix",
"lsan jose",
"odigicert inc",
"markus",
"url add",
"http",
"related nids",
"files location",
"russia flag",
"russia hostname",
"russia",
"russia unknown",
"hosting",
"federation flag",
"body",
"gmt vary",
"accept encoding",
"gmt cache",
"certificate",
"pulse submit",
"unknown aaaa",
"search",
"entries",
"script domains",
"script urls",
"pdx cf"
],
"references": [
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"Yare: compromised_site_redirector_fromcharcode",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"Tipped: A targets AI and other cyber research findings.",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"https://palapa.c.id\t (c.id)",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"cedevice.io \u2022 decagonsoftware.com",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"pcup.gov.ph:",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"https://elegantcosmedampyeah.pages.dev/",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"inst.govelopscold.com",
"https://feedback.ptv.vic.gov.au/360",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"https://brand.centurylinktechnology.com",
"https://prod.centurylinktechnology.com",
"https://brand2.centurylinktechnology.com",
"https://mobile-pocket-guide.centurylinktechnology.com",
"UPX_OEP_place",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"ASP. NET",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"7box.vip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan.Tofsee/Botx",
"display_name": "Trojan.Tofsee/Botx",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "PWS:Win32/Axespec.A",
"display_name": "PWS:Win32/Axespec.A",
"target": "/malware/PWS:Win32/Axespec.A"
},
{
"id": "Worm:Win32/Lightmoon.H",
"display_name": "Worm:Win32/Lightmoon.H",
"target": "/malware/Worm:Win32/Lightmoon.H"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1439",
"name": "Eavesdrop on Insecure Network Communication",
"display_name": "T1439 - Eavesdrop on Insecure Network Communication"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1069.003",
"name": "Cloud Groups",
"display_name": "T1069.003 - Cloud Groups"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 102,
"FileHash-SHA1": 59,
"FileHash-SHA256": 1929,
"domain": 854,
"hostname": 2156,
"URL": 4475,
"SSLCertFingerprint": 9,
"email": 7,
"CVE": 1
},
"indicator_count": 9592,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "48 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "697998461e60a245748d9262",
"name": "Apple - Spyware / Lumen Technologies as Administrator of another iOS device",
"description": "We were in the process of researching why and who the admin is on a targets iOS former device. \nThe device is 115 months old. We tested functionality, volume, apps, etc. Without searching for or clicking on anything an attorney named M. Brian Sabey popped up. The device flickered and the website opened. 10 minutes later the entire screen turned white and there was missing content. Sabey has been breaking the law[ slander, spoliation of evidence and monitoring a victim] | Day 2 -Lumen Technologies website/ html opens without provocation. . \nWe tested targets the iPhone all calls are managed by Lumen Technologies. Most calls are not allowed ; an error code is announced. The only way to continue call is by agreeing to pay for a local call..\n\nI didn\u2019t look for malware in pulse, spyware found. Weds research . The behavior of alleged attorneys is egregious and illegal.",
"modified": "2026-02-27T04:03:41.548000",
"created": "2026-01-28T05:01:58.923000",
"tags": [
"unix",
"delete c",
"united",
"json",
"write c",
"ascii text",
"default",
"ireland as16509",
"write",
"markus",
"malware",
"url https",
"ipv4",
"url http",
"active related",
"ids detections",
"https domain",
"tls sni",
"yara detections",
"upxoepplace",
"upx alerts",
"contacted",
"show",
"denmark as20940",
"as16509",
"local",
"copy",
"spyware",
"passive dns",
"urls",
"related nids",
"files location",
"flag united",
"related tags",
"present jan",
"title",
"ip address",
"registrar",
"blue internet",
"uk limited",
"namesco",
"cookie",
"t1012",
"t1132",
"data encoding",
"t1573",
"channel",
"thumbprint",
"graph summary",
"lumen technologies",
"hallrender",
"briansabey"
],
"references": [
"https://www.lumen.com/en-us/contact-us.html",
"https://hallrender.com/attorney/brian-sabey",
"Lumen Technologies",
"Installer Pulse coming soon. It\u2019s probably already posted. Will locate.",
"mycvsvet.co.uk - Team Blue Internet Services UK Limited",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Yara Detections: UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser ,",
"Yara Detections: UPX Alerts injection_inter_process cape_extracted_content",
"IP\u2019s Contacted: 2.23.173.27 2.23.173.19 34.199.131.241 34.247.72.3 52.19.228.126 104.19.178.52",
"IP\u2019s Contacted: 172.64.41.3 63.140.62.27 162.159.140.165 23.199.75.66"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 810,
"domain": 149,
"hostname": 398,
"FileHash-MD5": 153,
"FileHash-SHA1": 55,
"FileHash-SHA256": 1093,
"SSLCertFingerprint": 3
},
"indicator_count": 2661,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "51 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "697488f095f69d392afd00fb",
"name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes",
"description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.",
"modified": "2026-02-23T07:04:04.285000",
"created": "2026-01-24T08:55:12.845000",
"tags": [
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"href",
"ascii text",
"pattern match",
"mitre att",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"form",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"active related",
"url https",
"related pulses",
"url http",
"united",
"czechia",
"hong kong",
"ipv4",
"indicators hong",
"kong",
"south korea",
"netherlands",
"germany",
"ireland",
"denmark",
"sweden",
"active",
"government",
"finance",
"security",
"type indicator",
"yara detections",
"av detections",
"ids detections",
"alerts",
"analysis date",
"mcsf",
"microsoft",
"yara",
"insurance",
"fidelity investments",
"description",
"fidelity international",
"ms windows",
"pe32",
"writeconsolew",
"read c",
"pe32 executable",
"t1045",
"susp",
"write",
"win64",
"malware",
"modified",
"ck ids",
"t1040",
"sniffing",
"packing",
"t1112",
"packing t1045",
"icmp traffic",
"memcommit",
"pe section",
"low software",
"pe resource",
"win32",
"trojan",
"april",
"sara ligorria",
"tramp advert",
"black paper",
"createdate",
"subject laser",
"title laser",
"format",
"types of",
"japan",
"regsetvalueexa",
"regdword",
"regbinary",
"module download",
"tls handshake",
"high",
"defense evasion",
"discovery att",
"adversaries",
"title",
"role",
"flag",
"name server",
"server",
"domain address",
"markmonitor",
"clicktale ltd",
"enom",
"whoisguard",
"medium",
"unicode",
"rgba",
"delete",
"crlf line",
"next",
"dock",
"execution",
"date",
"users",
"tls sni",
"total",
"cnc domain",
"search",
"oamazon",
"cnamazon rsa",
"push",
"failure yara",
"contacted",
"hours ago",
"created",
"cia",
"fbi",
"telegram",
"tulach",
"sabey",
"state",
"gov",
"ahmann",
"financial fraud",
"t-mobile",
"walmartmobile",
"life insurance",
"fidelity life",
"guarantee",
"team",
"role title",
"added active",
"scan",
"iocs",
"learn more",
"filehashsha1",
"filehashmd5",
"kw3recepten",
"domainname0",
"searchbox0",
"kw1brinta",
"kw2muesli",
"indicator role",
"title added",
"pulses url",
"cve cve20170147",
"apple",
"apple id"
],
"references": [
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"https://bhive.nectar.social/rKvoMY",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"Domains Contacted api.nuget.org",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.fidelity.com/ https://www.fidelity.com/",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"https://www.anyxxxtube.net/search-porn/",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"https://bhive.nectar.social/rKvoMY",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"http://appleid.app",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64:Trojan-gen",
"display_name": "Win64:Trojan-gen",
"target": null
},
{
"id": "Trojan:MSIL/Ursu.KP",
"display_name": "Trojan:MSIL/Ursu.KP",
"target": "/malware/Trojan:MSIL/Ursu.KP"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F",
"target": null
},
{
"id": "Trojan:PDF/Phish.RR!MTB",
"display_name": "Trojan:PDF/Phish.RR!MTB",
"target": "/malware/Trojan:PDF/Phish.RR!MTB"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": ": ALF:Trojan:MSIL/Azorult.AC!",
"display_name": ": ALF:Trojan:MSIL/Azorult.AC!",
"target": null
},
{
"id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB",
"target": null
},
{
"id": "Trojan:Win32/Conbea!rfn",
"display_name": "Trojan:Win32/Conbea!rfn",
"target": "/malware/Trojan:Win32/Conbea!rfn"
},
{
"id": "Trojan:Win32/Ausiv!rfn",
"display_name": "Trojan:Win32/Ausiv!rfn",
"target": "/malware/Trojan:Win32/Ausiv!rfn"
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat",
"target": null
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "TrojanDropper:Win32/Qhost",
"display_name": "TrojanDropper:Win32/Qhost",
"target": "/malware/TrojanDropper:Win32/Qhost"
},
{
"id": "Trojan:Win32/Miner.KA!MTB",
"display_name": "Trojan:Win32/Miner.KA!MTB",
"target": "/malware/Trojan:Win32/Miner.KA!MTB"
},
{
"id": "DNSTrojan",
"display_name": "DNSTrojan",
"target": null
},
{
"id": "EternalRocks",
"display_name": "EternalRocks",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Finance",
"Insurance"
],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2793,
"URL": 6639,
"FileHash-SHA256": 2462,
"domain": 1070,
"FileHash-MD5": 307,
"FileHash-SHA1": 186,
"SSLCertFingerprint": 1,
"email": 1,
"CVE": 3
},
"indicator_count": 13462,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "55 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6967bc8b26b69d4dc2604a13",
"name": "Telegram@V2ray_Alpha/ | Mirai | ExhoBot CNC | EtT",
"description": "Inbound Outbound connections. Tel et error. Hacking activity affecting various forms of connectivity via telecom. Possibly a controls\n computer vehicle connects to. Related? I was researching increased malicious activity aimed against a target. An associate close to target reported (mid research) Vehicle reported \u2018no longer being able to communicate. Module 5 has an error. Please contact customer service). Targets car was powered oof. No Bluetooth connection. No reports. Audio off. No phone message, connection or dial. This is targets experience not mowing what I was researching.",
"modified": "2026-02-13T15:04:30.631000",
"created": "2026-01-14T15:55:55.693000",
"tags": [
"v2rayalpha",
"united",
"unknown ns",
"unknown aaaa",
"domain add",
"urls",
"files",
"domain",
"github",
"file format",
"jkvpn",
"jointelegram",
"farahvpn vless",
"post",
"universal",
"scribd",
"typews",
"telegram",
"rdap",
"handle",
"iana registrar",
"roles",
"dnssec",
"aaaa",
"ttl value",
"rdap database",
"links",
"backdoor",
"antigua",
"virgin islands",
"status",
"org domains",
"proxy",
"ip address",
"barbuda unknown",
"passive dns",
"ipv4 add",
"twitter",
"dynamicloader",
"port",
"delete c",
"destination",
"high",
"windows",
"medium",
"displayname",
"write",
"tofsee",
"stream",
"malware",
"push",
"next",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ck techniques",
"evasion att",
"sha256",
"sha1",
"pattern match",
"ascii text",
"href",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"search",
"moved",
"record value",
"servers",
"title",
"encrypt",
"canada unknown",
"gmt content",
"reverse dns",
"location canada",
"canada asn",
"accept",
"cookie",
"dll read",
"function read",
"wscriptshell",
"shortcut",
"guard",
"error",
"present jan",
"name servers",
"registrar url",
"hong kong",
"invalid url",
"url analysis",
"location hong",
"kong flag",
"msie",
"chrome",
"type",
"media type",
"certificate",
"hostname add",
"present nov",
"present sep",
"present oct",
"expiration date",
"present dec",
"script urls",
"a domains",
"present mar",
"present feb",
"meta",
"show",
"read c",
"entries",
"read",
"intel",
"ms windows",
"delete",
"please",
"artemis",
"virustotal",
"trojan",
"mcafee",
"drweb",
"vipre",
"panda",
"write c",
"total",
"next associated",
"thursday",
"gmt cache",
"ipv4",
"form",
"date",
"mirai",
"telnet login",
"south korea",
"bad login",
"as4766 korea",
"taiwan as3462",
"china as45090",
"telnet root",
"cve201717215",
"execution",
"copy",
"contacted",
"mtb ids",
"dns query",
"variant cnc",
"domain huawei",
"remote command",
"huawei remote",
"echobot",
"linux mirai",
"monitoring",
"cnc"
],
"references": [
"https://pamchall.com/Telegram@V2ray_Alpha/",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"https://t.me/",
"Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"Contacted: newmethcnc.duckdns.org",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"https://eurotarget.com/it/auto/toyota/c-hr/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win.Malware.Reline-9887776-0",
"display_name": "Win.Malware.Reline-9887776-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai.N!MTB",
"display_name": "Backdoor:Linux/Mirai.N!MTB",
"target": "/malware/Backdoor:Linux/Mirai.N!MTB"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1399",
"name": "Modify Trusted Execution Environment",
"display_name": "T1399 - Modify Trusted Execution Environment"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1011.001",
"name": "Exfiltration Over Bluetooth",
"display_name": "T1011.001 - Exfiltration Over Bluetooth"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6227,
"domain": 1437,
"hostname": 2331,
"email": 8,
"FileHash-SHA256": 3252,
"FileHash-MD5": 465,
"FileHash-SHA1": 457,
"CIDR": 1,
"CVE": 3
},
"indicator_count": 14181,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "64 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6961a8ed7b492f9e0ba38990",
"name": "HeartSender.A and other Malware attacks originating from Palantirs Pahamify Pegasus",
"description": "Pahamify Pegasus : HackTool \u2022 Speedcat \u2022 HeartSender.A \u2022 Zbot and other malware found.\nSearc begins with single FileHash referenced below. \nI\u2019m checking the processes and sharing it here one group at a time. Too much research at once could bring Amazon AWS down. Again.",
"modified": "2026-02-09T00:04:37.974000",
"created": "2026-01-10T01:18:36.999000",
"tags": [
"read c",
"write c",
"port",
"destination",
"united",
"medium",
"as16509",
"memcommit",
"write",
"execution",
"dock",
"persistence",
"next executed",
"commands graph",
"tree",
"sample hash",
"passive dns",
"present jan",
"title error",
"urls",
"files",
"date hash",
"avast avg",
"dynamicloader",
"host",
"utf8",
"unicode text",
"crlf line",
"binary resource",
"ms windows",
"search",
"intel",
"pcspeedcat",
"win32",
"internal",
"malware",
"local",
"unknown",
"get na",
"http",
"okrnserver",
"ip address",
"http traffic",
"guard",
"powershell",
"ipv4 add",
"servers",
"name servers",
"capture",
"link",
"gateway",
"tofsee att",
"ck ids",
"t1055",
"injection",
"t1071",
"protocol",
"t1573",
"target",
"url http",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"discovery att",
"mitre att",
"ck matrix",
"ascii text",
"hybrid",
"general",
"path",
"click",
"strings",
"high",
"etpro malware",
"next",
"stack",
"format",
"error",
"unicode",
"head http",
"regsetvalueexa",
"qt binary",
"resource file",
"pe32",
"hostile",
"unknown aaaa",
"unknown ns",
"x content",
"gmt cache",
"domain add",
"title",
"present sep",
"a td",
"td tr",
"dir td",
"td td",
"present may",
"present jun",
"present apr",
"present aug",
"present oct",
"head body",
"gmt server",
"index",
"main",
"accept",
"status",
"th tr",
"moved",
"record value",
"expiration date",
"germany unknown",
"present dec",
"cache control",
"present nov",
"max age1000000",
"cookie",
"hosting",
"reverse dns",
"location france",
"france asn",
"as16276",
"trojandropper",
"next associated",
"mtb jan",
"exploit",
"emails",
"trojan",
"pegasus",
"hostname add",
"url analysis",
"domain",
"files ip",
"address",
"france unknown",
"asn as16276",
"backdoor",
"entries",
"setcookie",
"twitter",
"refloadapihash",
"virtool",
"show",
"displayname",
"windows",
"rndhex",
"tofsee",
"stream",
"encrypt",
"push",
"creation date",
"france",
"date",
"body",
"pup",
"amazon",
"amazon aws",
"salesforce",
"herokuappdev",
"google",
"igoogle",
"monitored target",
"cats"
],
"references": [
"FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee",
"https://otx.alienvault.com/indicator/ip/3.163.24.10",
"External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.",
"External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone",
"https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com",
"https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/",
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com",
"Malicious Application Development: herokuappdev.com (Patter match 8 years +)",
"direwolf-8b1a1bc476.staging.herokuappdev.com",
"Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Generic-9871124-0",
"display_name": "Win.Malware.Generic-9871124-0",
"target": null
},
{
"id": "ALF:HackTool:MSIL/HeartSender.A",
"display_name": "ALF:HackTool:MSIL/HeartSender.A",
"target": null
},
{
"id": "Win.Malware.Speedcat-6957425",
"display_name": "Win.Malware.Speedcat-6957425",
"target": null
},
{
"id": "Tofsee Attack",
"display_name": "Tofsee Attack",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
}
],
"industries": [
"Civil Society",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 404,
"FileHash-SHA1": 286,
"FileHash-SHA256": 1419,
"SSLCertFingerprint": 7,
"domain": 441,
"URL": 4233,
"hostname": 1217,
"email": 10
},
"indicator_count": 8017,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "69 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695fd5fa266f9ea34c8f5c45",
"name": "Cats and Kittens Attack Mirai Botnet and how it may target Threat Exchange users",
"description": "Cat attacks related to LummaC2 attacks,info stealing, domain seizures, etc. Including are references to the Lumma C2 with cats and Aura Stealer attacks. Same attack group , includes Mirai Botnet. Has the group become a larger , stronger adversary? \nSony Music connection. I\u2019m aware (The US Department of Justice and Microsoft disrupted LummaC2 infostealing-malware through domain seizures, taking down over 2,300 associated domains. The FBI and CISA by AlienVault) Further research necessary.",
"modified": "2026-02-07T14:04:48.556000",
"created": "2026-01-08T16:06:18.126000",
"tags": [
"levelblue labs",
"mirai",
"windows",
"ck ids",
"application",
"network denial",
"service",
"contacted",
"search",
"unknown",
"top source",
"top destination",
"source source",
"china as4812",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"enter",
"udp include",
"country",
"unique",
"unique asns",
"ip hostname",
"reverse ip",
"lookup country",
"china as17429",
"taiwan as3462",
"new caledonia",
"as18200 office",
"china as4538",
"china as9394",
"india as137654",
"japan as2514",
"japan as9365",
"china as45083",
"endian",
"linux",
"apple",
"linux subsys",
"lang c",
"linenum",
"lsyms",
"machine",
"static",
"va",
"os linux",
"nx",
"relocs",
"intel 8038",
"elf32",
"malware distribution",
"domain seizures",
"infostealing malware",
"cat-themed domains",
"gather victim",
"t1589",
"t1568",
"t1590",
"web protocols",
"drop resolver",
"t1568 t1590",
"show",
"filehash",
"md5 add",
"pulse pulses",
"copy",
"affected _and_fixed",
"thank you"
],
"references": [
"cat-are-here.ru",
"Antivirus Detections: Unix.Trojan.Mirai-10028259-0 | Mirai (ELF) Mirai (Windows",
"Yara Detections: LZMA",
"IP\u2019s Contacted: 32.227.223.238 107.74.143.88 69.196.71.159 96.16.197.80 101.80.61.229 125.101.205.34",
"IP\u2019s Contacted: 16.85.50.206 215.160.125.18 40.71.227.8 57.122.151.130",
"All Domains Contacted: thekittler.ru newkittler.ru cats-master.ru",
"https://otx.alienvault.com/indicator/file/b57042ed9a7d7dbe1f7c7f32de74d2b367ee835d",
"https://otx.alienvault.com/indicator/domain/cat-are-here.ru",
"CloudFlare IP\u2019s: 104.18.36.237 ,104.18.37.237",
"CloudFlare Domain: apple-dns.net",
"Cloudflare URL: https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js",
"https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js",
"http://213.209.143.24/ppc \u2022 http://213.209.143.24/rep.i486 \u2022 http://213.209.143.24/rep.sh4",
"http://213.209.143.24/x32 \u2022 https://250-mail.simswap.in \u2022 https://mail.simswap.in",
"http://kittler.ru/arm5 \u2022 http://kittler.ru/mpsl \u2022 http://thekittler.ru/rep.arm7",
"http://kittler.ru/rep.sh4 \u2022 http://kittler.ru/x32 \u2022 http://cats-master.ru/x86_64",
"sonymusicfans.com \u2022 forms.sonymusicfans.com \u2022 image.emails.sonymusicfans.com \u2022 url8878.e.sonymusicfans.com",
"https://forms.sonymusicfans.com/campaign/cannons-all-i-need-pre-add-pre-save/",
"https://forms.sonymusicfans.com/wp-content/plugins/smf-core/assets/css/campaign_333c4e8b19a72989caf8.css",
"https://view.emails.sonymusicfans.com/Error.aspx",
"URL http://url8878.e.sonymusicfans.com/ls/click \u2022 https://forms.sonymusicfans.com/campaign/all",
"http://url8878.e.sonymusicfans.com/ \u2022 http://url8878.e.sonymusicfans.com/ls/click",
"https://forms.sonymusicfans.com/campaign/all \u2022 https://forms.sonymusicfans.com/campaign/mmph/",
"https://image.emails.sonymusicfans.com/lib/fe9a12747566007d70/m/1/eb6e3ce4-7a7b-4435-a2cd-968f7277e6e0.png",
"https://image.emails.sonymusicfans.com/lib/fe9412747566057a72/m/1/b381d305-8e17-49be-bc99-e5fab3a7cd17.gif",
"push.apple.com \u2022 emails.redvue.com \u2022 apple-dns.net \u2022 57.122.151.130 \u2022 https://teja8.kuikr.com/i6/20181130/Apple",
"Tracking LummaC2 Infrastructure with Cats (byAlienVault) https://otx.alienvault.com/pulse/6839003a3028827e1ebbfb1a",
"Interesting relationships: LummaC2 , Mirai Botnet , Sony Music Group , Apple",
"https://otx.alienvault.com/pulse/694898db3a9999fecfd893cb"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "Unix.Trojan.Mirai-10028259-0",
"display_name": "Unix.Trojan.Mirai-10028259-0",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6981160-0",
"display_name": "Unix.Trojan.Gafgyt-6981160-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1595",
"name": "Active Scanning",
"display_name": "T1595 - Active Scanning"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1584.001",
"name": "Domains",
"display_name": "T1584.001 - Domains"
},
{
"id": "T1102.001",
"name": "Dead Drop Resolver",
"display_name": "T1102.001 - Dead Drop Resolver"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 74,
"FileHash-SHA1": 74,
"FileHash-SHA256": 1067,
"URL": 2140,
"domain": 247,
"hostname": 674,
"CVE": 2
},
"indicator_count": 4278,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "70 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6953775a0aed71947ca3f90e",
"name": "Ransom WannaCrypt- Hackers masquerade as a law firm | Social Engineering |",
"description": "Hackers , likely Colorado State employees masquerading as legal, entities, social\nengineering, financial exchanges involved. Fraud. Dangerous enterprise. Found in an \u2018alleged \u2018 Plaintiff Law Firms malicious link discovered in old print out, also seen in earlier pulse. [OTX generated description: Adversaries may be able to evade detection and network filtering by blending in with existing traffic, as well as using web protocols, in order to avoid detection/network filtering. and other measures.]",
"modified": "2026-01-29T06:09:08.504000",
"created": "2025-12-30T06:55:22.105000",
"tags": [
"united",
"urls",
"moved",
"files",
"ip address",
"gmt content",
"x adblock",
"encrypt",
"backdoor",
"bq dec",
"virtool",
"ipv4 add",
"ascii text",
"pattern match",
"ck id",
"mitre att",
"meta",
"general",
"local",
"path",
"click",
"strings",
"unknown",
"simplified",
"etpro trojan",
"possible virut",
"dga nxdomain",
"responses",
"virus",
"medium",
"virustotal",
"vipre",
"baidu",
"vitro",
"drweb",
"mcafee",
"panda",
"malware",
"write",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"yara rule",
"simda",
"internal",
"learn",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"discovery att",
"ck matrix",
"network traffic",
"t1071",
"t1057",
"hybrid",
"yara detections",
"composite",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"none related",
"passive dns",
"hosting",
"reverse dns",
"location united",
"title",
"ences s",
"data upload",
"extraction",
"status",
"hostname add",
"url analysis",
"push",
"present sep",
"present may",
"present jul",
"present jan",
"win32small dec",
"ransom",
"write c",
"show",
"search",
"high",
"et exploit",
"probe ms17010",
"eternal blue",
"englewood colorado",
"wannacry",
"wannacrypt",
"ransom",
"wanna"
],
"references": [
"https://aws.hirecar.net/",
"w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf",
"pandacookie2018.xyz",
"Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS",
"DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Small.IR",
"display_name": "Backdoor:Win32/Small.IR",
"target": "/malware/Backdoor:Win32/Small.IR"
},
{
"id": "Win.Trojan.Agent-31853",
"display_name": "Win.Trojan.Agent-31853",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Win.Ransomware.Wanna-9769986-0",
"display_name": "Win.Ransomware.Wanna-9769986-0",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt.H",
"display_name": "Ransom:Win32/WannaCrypt.H",
"target": "/malware/Ransom:Win32/WannaCrypt.H"
},
{
"id": "Virtool:Win32/Injector.gen!BQ",
"display_name": "Virtool:Win32/Injector.gen!BQ",
"target": "/malware/Virtool:Win32/Injector.gen!BQ"
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [
"Government",
"Technology",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8605,
"domain": 1228,
"email": 2,
"hostname": 1981,
"FileHash-SHA256": 1617,
"FileHash-SHA1": 184,
"FileHash-MD5": 206,
"SSLCertFingerprint": 2
},
"indicator_count": 13825,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "80 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6952f958f5dee394ed5ee9f1",
"name": "Agent-AQB -Secretary of State Colorado",
"description": "There are several compromised certificate on Secretary of State Colorado. I focused on one.\nMalicious - Writes to STDOUT",
"modified": "2026-01-28T21:05:58.898000",
"created": "2025-12-29T21:57:44.075000",
"tags": [
"subscribe",
"unsubscribe",
"s paris",
"englewood",
"united",
"state",
"skip",
"espaol",
"summary",
"filing history",
"present jul",
"a domains",
"present jun",
"present oct",
"present dec",
"script urls",
"present aug",
"moved",
"link",
"meta",
"msie",
"chrome",
"passive dns",
"gmt content",
"ipv4",
"urls",
"files",
"title",
"ipv4 add",
"america flag",
"america asn",
"related pulses",
"united states",
"cloudflare a",
"div div",
"span span",
"domain",
"cloudflare",
"content type",
"click",
"dynamicloader",
"get opera",
"host",
"tlsv1",
"install",
"external ip",
"lookup",
"intel",
"ms windows",
"ogoogle trust",
"write",
"malware",
"ip address",
"search",
"present nov",
"backdoor",
"bq dec",
"win32small dec",
"next associated",
"virtool",
"reverse dns",
"australia asn",
"twitter",
"status",
"name servers",
"expiration date",
"hostname add",
"unknown soa",
"domain add",
"form",
"entries",
"url analysis",
"error",
"body",
"date",
"high",
"ssh scan",
"tcp syn",
"resolverror",
"show",
"outbound",
"yara detections",
"potential ssh",
"contacted",
"copy",
"icmp traffic",
"dns query",
"therahand certificat",
"sos",
"secretary of state",
"writes_to_stdout"
],
"references": [
"https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY",
"ELF:Agent-AQB\\ [Trj] IDS Detections: Potential SSH Scan Potential SSH Scan OUTBOUND",
"Yara Detections: is__elf",
"Alerts: dead_host known_hosts_conn network_icmp tcp_syn_scan osquery_detection",
"Alerts: nolookup_communication writes_to_stdout",
"IP\u2019s Contacted 2530 IP\u2019s Contacted 1.0.0.1 1.0.0.10 1.0.0.100 1.0.0.101 1.0.0.102 | Domains Contacted: 9654s.com",
"https://otx.alienvault.com/indicator/file/aeb3d5ec1d144a7b2d51bdb603c052fd52700defb1b039491c4df3f32ece517a",
"ELF:Agent-AQB\\ [Trj]",
"https://otx.alienvault.com/indicator/file/aeb3d5ec1d144a7b2d51bdb603c052fd52700defb1b039491c4df3f32ece517a"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win.Trojan.Agent-31853",
"display_name": "Win.Trojan.Agent-31853",
"target": null
},
{
"id": "Backdoor:Win32/Small.IR",
"display_name": "Backdoor:Win32/Small.IR",
"target": "/malware/Backdoor:Win32/Small.IR"
},
{
"id": "Win.Downloader.92-4",
"display_name": "Win.Downloader.92-4",
"target": null
},
{
"id": "Win.Trojan.Fugrafa-9733007-0",
"display_name": "Win.Trojan.Fugrafa-9733007-0",
"target": null
},
{
"id": "ELF:Agent-AQB\\ [Trj]",
"display_name": "ELF:Agent-AQB\\ [Trj]",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1561,
"domain": 158,
"hostname": 637,
"FileHash-MD5": 121,
"FileHash-SHA1": 97,
"email": 8,
"FileHash-SHA256": 561,
"SSLCertFingerprint": 1
},
"indicator_count": 3144,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "80 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69519fa81048ad057eb9beaa",
"name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)",
"description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.",
"modified": "2026-01-27T21:02:45.343000",
"created": "2025-12-28T21:22:48.595000",
"tags": [
"united",
"servers",
"moved",
"ip address",
"record value",
"encrypt",
"present jul",
"present jun",
"trojandropper",
"passive dns",
"ipv4 add",
"urls",
"files",
"virtool",
"united states",
"dynamicloader",
"directui",
"element",
"classinfobase",
"write c",
"medium",
"yara rule",
"msvisualbasic60",
"high",
"hwndelement",
"explorer",
"write",
"movie",
"insert",
"program",
"python",
"http traffic",
"trojan generic",
"search",
"cnc activity",
"delphi",
"win32",
"launcher",
"pony",
"fareit",
"malware",
"push",
"msie",
"windows nt",
"generic",
"checkin",
"post",
"yara detections",
"rxr",
"inject",
"memcommit",
"cryptexportkey",
"invalid pointer",
"regsetvalueexa",
"solutions ltd",
"read c",
"regdword",
"mozilla",
"persistence",
"execution",
"android",
"unknown",
"learn",
"suspicious",
"informative",
"adversaries",
"ck id",
"name tactics",
"command",
"initial access",
"defense evasion",
"spawns",
"t1590 gather",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"pattern match",
"mitre att",
"ck matrix",
"href",
"ascii text",
"starfield",
"hybrid",
"general",
"local",
"path",
"iframe",
"palantir",
"present nov",
"present oct",
"status",
"present apr",
"present dec",
"cryp",
"date",
"trojan",
"title",
"name servers",
"windows",
"t1060",
"disables proxy",
"dock",
"pegasus",
"rootkit",
"backdoor",
"susp",
"win32qqpass feb",
"worm",
"msr win32",
"win64",
"process32nextw",
"findwindowa",
"file execution",
"writeconsolea",
"procexpl",
"file v2",
"document",
"document file",
"v2 document",
"lost",
"tools",
"pecompact",
"media",
"autorun",
"service",
"post http",
"delete",
"alerts",
"emotet",
"rkt",
"autorun",
"worm",
"plugins",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"domain",
"expiration date",
"hostname add",
"pulse pulses",
"contacted hosts",
"sha1",
"sha256",
"show technique",
"strings",
"t1480 execution",
"signing defense",
"script urls",
"a domains",
"unknown ns",
"texas flyover",
"script domains",
"script script",
"meta",
"window",
"process details",
"contacted"
],
"references": [
"Cart.Guru",
"Yara Detections: Delphi",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"HTTP traffic on port 443 (POST)",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"Yara Detections: Nullsoft_NSIS ...",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users"
],
"public": 1,
"adversary": "Palantir Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RXR",
"display_name": "RXR",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Trojan:Win32/Bagsu!rfn",
"display_name": "Trojan:Win32/Bagsu!rfn",
"target": "/malware/Trojan:Win32/Bagsu!rfn"
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:MalOb-BX\\ [Cryp]",
"display_name": "Win32:MalOb-BX\\ [Cryp]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "#Lowfi:Win32/SandboxProductId",
"display_name": "#Lowfi:Win32/SandboxProductId",
"target": "/malware/#Lowfi:Win32/SandboxProductId"
},
{
"id": "Win32:Backdoor",
"display_name": "Win32:Backdoor",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "ALF:Trojan:MSIL/BlackFus.C",
"display_name": "ALF:Trojan:MSIL/BlackFus.C",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "TrojanProxy:Win32/Ceutv.A",
"display_name": "TrojanProxy:Win32/Ceutv.A",
"target": "/malware/TrojanProxy:Win32/Ceutv.A"
},
{
"id": "VirTool:Win32/Obfuscator.AHU",
"display_name": "VirTool:Win32/Obfuscator.AHU",
"target": "/malware/VirTool:Win32/Obfuscator.AHU"
},
{
"id": "ShellCode",
"display_name": "ShellCode",
"target": null
},
{
"id": "Win32:Rootkit",
"display_name": "Win32:Rootkit",
"target": null
},
{
"id": "VB Flash",
"display_name": "VB Flash",
"target": null
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Win.Packed.Razy-6847895-0",
"display_name": "Win.Packed.Razy-6847895-0",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!",
"display_name": "Backdoor:Win32/Plugx.N!",
"target": "/malware/Backdoor:Win32/Plugx.N!"
},
{
"id": "Win.Dropper.QQpass-7194329-0",
"display_name": "Win.Dropper.QQpass-7194329-0",
"target": null
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win32:Agent",
"display_name": "Win32:Agent",
"target": null
},
{
"id": "Win.Trojan.Agent",
"display_name": "Win.Trojan.Agent",
"target": null
},
{
"id": "Win.Trojan.Emotet-7545664-0",
"display_name": "Win.Trojan.Emotet-7545664-0",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2362,
"domain": 449,
"hostname": 710,
"email": 6,
"FileHash-MD5": 260,
"FileHash-SHA1": 201,
"FileHash-SHA256": 333,
"SSLCertFingerprint": 27
},
"indicator_count": 4348,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "81 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69519fa818f84531ce6becc9",
"name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)",
"description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.",
"modified": "2026-01-27T21:02:45.343000",
"created": "2025-12-28T21:22:48.383000",
"tags": [
"united",
"servers",
"moved",
"ip address",
"record value",
"encrypt",
"present jul",
"present jun",
"trojandropper",
"passive dns",
"ipv4 add",
"urls",
"files",
"virtool",
"united states",
"dynamicloader",
"directui",
"element",
"classinfobase",
"write c",
"medium",
"yara rule",
"msvisualbasic60",
"high",
"hwndelement",
"explorer",
"write",
"movie",
"insert",
"program",
"python",
"http traffic",
"trojan generic",
"search",
"cnc activity",
"delphi",
"win32",
"launcher",
"pony",
"fareit",
"malware",
"push",
"msie",
"windows nt",
"generic",
"checkin",
"post",
"yara detections",
"rxr",
"inject",
"memcommit",
"cryptexportkey",
"invalid pointer",
"regsetvalueexa",
"solutions ltd",
"read c",
"regdword",
"mozilla",
"persistence",
"execution",
"android",
"unknown",
"learn",
"suspicious",
"informative",
"adversaries",
"ck id",
"name tactics",
"command",
"initial access",
"defense evasion",
"spawns",
"t1590 gather",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"pattern match",
"mitre att",
"ck matrix",
"href",
"ascii text",
"starfield",
"hybrid",
"general",
"local",
"path",
"iframe",
"palantir",
"present nov",
"present oct",
"status",
"present apr",
"present dec",
"cryp",
"date",
"trojan",
"title",
"name servers",
"windows",
"t1060",
"disables proxy",
"dock",
"pegasus",
"rootkit",
"backdoor",
"susp",
"win32qqpass feb",
"worm",
"msr win32",
"win64",
"process32nextw",
"findwindowa",
"file execution",
"writeconsolea",
"procexpl",
"file v2",
"document",
"document file",
"v2 document",
"lost",
"tools",
"pecompact",
"media",
"autorun",
"service",
"post http",
"delete",
"alerts",
"emotet",
"rkt",
"autorun",
"worm",
"plugins",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"domain",
"expiration date",
"hostname add",
"pulse pulses",
"contacted hosts",
"sha1",
"sha256",
"show technique",
"strings",
"t1480 execution",
"signing defense",
"script urls",
"a domains",
"unknown ns",
"texas flyover",
"script domains",
"script script",
"meta",
"window",
"process details",
"contacted"
],
"references": [
"Cart.Guru",
"Yara Detections: Delphi",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"HTTP traffic on port 443 (POST)",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"Yara Detections: Nullsoft_NSIS ...",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users"
],
"public": 1,
"adversary": "Palantir Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "RXR",
"display_name": "RXR",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Trojan:Win32/Bagsu!rfn",
"display_name": "Trojan:Win32/Bagsu!rfn",
"target": "/malware/Trojan:Win32/Bagsu!rfn"
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:MalOb-BX\\ [Cryp]",
"display_name": "Win32:MalOb-BX\\ [Cryp]",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "#Lowfi:Win32/SandboxProductId",
"display_name": "#Lowfi:Win32/SandboxProductId",
"target": "/malware/#Lowfi:Win32/SandboxProductId"
},
{
"id": "Win32:Backdoor",
"display_name": "Win32:Backdoor",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "ALF:Trojan:MSIL/BlackFus.C",
"display_name": "ALF:Trojan:MSIL/BlackFus.C",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "TrojanProxy:Win32/Ceutv.A",
"display_name": "TrojanProxy:Win32/Ceutv.A",
"target": "/malware/TrojanProxy:Win32/Ceutv.A"
},
{
"id": "VirTool:Win32/Obfuscator.AHU",
"display_name": "VirTool:Win32/Obfuscator.AHU",
"target": "/malware/VirTool:Win32/Obfuscator.AHU"
},
{
"id": "ShellCode",
"display_name": "ShellCode",
"target": null
},
{
"id": "Win32:Rootkit",
"display_name": "Win32:Rootkit",
"target": null
},
{
"id": "VB Flash",
"display_name": "VB Flash",
"target": null
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Win.Packed.Razy-6847895-0",
"display_name": "Win.Packed.Razy-6847895-0",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!",
"display_name": "Backdoor:Win32/Plugx.N!",
"target": "/malware/Backdoor:Win32/Plugx.N!"
},
{
"id": "Win.Dropper.QQpass-7194329-0",
"display_name": "Win.Dropper.QQpass-7194329-0",
"target": null
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win32:Agent",
"display_name": "Win32:Agent",
"target": null
},
{
"id": "Win.Trojan.Agent",
"display_name": "Win.Trojan.Agent",
"target": null
},
{
"id": "Win.Trojan.Emotet-7545664-0",
"display_name": "Win.Trojan.Emotet-7545664-0",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2362,
"domain": 449,
"hostname": 710,
"email": 6,
"FileHash-MD5": 260,
"FileHash-SHA1": 201,
"FileHash-SHA256": 333,
"SSLCertFingerprint": 27
},
"indicator_count": 4348,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "81 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6949b6d8180bca3df9783578",
"name": "Instagram (staged) Emotet & Tofsee Backdoor",
"description": "If you choose to read this, I apologize for the riddle.Pegasus like tracking operation.\nAdversarial attack on a private citizens or (possibly staged instagram account). The citizen is not a known target. Attacks appear to arise from same internet criminals, allegedly State of Colorado employees engaged in permissible criminal behavior. Account does belongs to a person in sphere of a known monitored target. Target naturally has no communication with account holder. Known target had been invited to be Facebook friends of infected account holder multiple times, both target and associate declined and blocked this infected account holder. |\n\n* Infected Instagram account holders husband referred target to a Colorado Law Firm. The Law firm was attacked some time ago. | \n***Infected instagram account holder name is redacted. Is being tracked :(",
"modified": "2026-01-21T20:01:56.174000",
"created": "2025-12-22T21:23:36.083000",
"tags": [
"dynamicloader",
"port",
"destination",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"loaderid",
"write",
"stream",
"malware",
"systemroot",
"write c",
"displayname",
"windows",
"trojan",
"defender",
"unknown",
"less see",
"all ip",
"contacted",
"less related",
"meta",
"emotet",
"backdoor",
"packer",
"many",
"hall render",
"brian sabey",
"christopher p. ahmann",
"state of colorado",
"google",
"yahoo",
"microsoft",
"stealth window",
"reads_self",
"injection write process",
"remote",
"remote process",
"dynamic function loading",
"compromises device",
"dead connect",
"dynamic loader",
"command",
"cnc",
"sleep sandbox",
"iocontrol",
"behavior tofsee",
"suspicious code",
"injection",
"persistence",
"rootkit",
"social media",
"belgium belgium",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"network traffic",
"t1071",
"spawns",
"html content",
"href",
"general",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"development att",
"tracking"
],
"references": [
"Instagram.com",
"IDS Detections: tofsee",
"Alerts antivm_generic_services persistence_ads anomalous_deletefile Idead_connect",
"Alerts: suspicious_tld queries_computer_name dynamic_function_loading",
"Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
"IP\u2019s Contacted: 94.100.180.31 142.251.9.27 98.136.96.91 43.231.4.7 52.101.8.42",
"Domains Contacted microsoft.com microsoft-com.mail.protection.outlook.com yahoo.com mta7.am0.yahoodns.net google.com",
"Brian Sabey , Christopher P. Ahmann , State of Colorado who",
"http://tracking-sa3.account.riyadhair.com/tracking/1/open/UGnB4w8RQiQ_9PYty4S-rwBmOetPQw3ubFHSNKg_IdhZfkaCbjqN3pnR4Xwk6pQcRBqF2aoq0uEaKMM4CX1kTpZsAD10-fxAPEgqGzJ2o7BJmsh_G2B6P-m_Xqc_LOycbcGBss0kXIEJvMGRw2SMITzqmVnh1yI_FuZV37qgGHZG3lP1V-WMaNTc8FYNIcgSRyTFamC5k3I1LkpsmTgX5Dd20Ko3IxUqFRC74clpVo-uFwRAb1Q1gSfKrDBX6_LaXkgv9gfyPy7L2BKxAmFBe-Ump3D_wGRDTXekPO5VZJ46hn0pUrOy2g8606kgb703eJVnmrz0cgCd-8P1dOdfoOFrSqOuXzfDNCaUU-2xl1aHVjGCZGIWX6B4bYqznMqsvI8UxoitF5tZTZ3opRhymDkrsItHdJPUnzkc6N_Z370RVT54BihKCohH14lIRQVQN9v74E",
"Looks like a Pegasus tracking sphere. All contacts and contacts, contacts tracked."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Emotet.YL",
"display_name": "Trojan:Win32/Emotet.YL",
"target": "/malware/Trojan:Win32/Emotet.YL"
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 910,
"domain": 177,
"hostname": 206,
"FileHash-SHA256": 647,
"FileHash-MD5": 38,
"FileHash-SHA1": 28
},
"indicator_count": 2006,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "87 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69631fbd16e306ee2b76c4da",
"name": "Chris P. Ahmann \u2022 STAY Away!f PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2026-01-11T03:57:49.242000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "695557ee134b978b00883c29",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69482caa00d327da8f0a87bc",
"name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-21T17:21:46.434000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695557ee134b978b00883c29",
"name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-31T17:05:50.134000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "691f4d4ef0a2a570b8b21cd2",
"name": "Chris P. Ahmann Colorado State Criminal Defense Attorney",
"description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-11-20T17:18:06.929000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "88 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6944ce38344ccded23df66f5",
"name": "Ransom - Amnesty.org - a single link in a Pegasus attack against a civilian.",
"description": "I don\u2019t have the right words to put this together because it involves so much coercion, fraud, betrayal, manipulation , hacking, multiple business fronts, loud mouth mafia plants, working with someone under false pretenses, redhat security teams in Denver , Colorado, false implications of cyber attacks coming from foreign entities. \n\nTips come from a highly reliable sources. One link in a Pegasus attack .",
"modified": "2026-01-18T03:05:59.836000",
"created": "2025-12-19T04:02:00.973000",
"tags": [
"intel",
"ms windows",
"write c",
"pe32",
"pe32 executable",
"copy c",
"free",
"benjamin",
"write",
"worm",
"win32",
"code",
"june",
"delphi",
"malware",
"benjamin",
"tulach",
"state of colorado",
"christopher p. \u2018buzz\u2019 ahmann",
"danica implants",
"nids_malware_alert",
"bonu$",
"network_icmp",
"network_irc",
"persistence_autorun",
"network_http",
"nids_alert",
"allocates_rwx",
"hackers",
"creates_exe",
"brian sabey",
"sour del",
"packer_entropy",
"antivm_memory_available",
"pe_features",
"get key",
"crime",
"organized crime",
"federal crime",
"cyber crime",
"piracy",
"status",
"china unknown",
"name servers",
"div div",
"ip address",
"domain",
"creation date",
"record value",
"meta",
"title",
"hong kong",
"passive dns",
"gmt content",
"type",
"content length",
"ipv4 add",
"urls",
"files",
"location hong",
"twitter",
"youtube",
"side 3 studios",
"denver music",
"infiltration",
"whistleblower",
"getkey",
"cyber warfare",
"fraud",
"financial crimes",
"pegasus",
"music front",
"france unknown",
"present feb",
"iran unknown",
"present nov",
"present jun",
"present jan",
"hidden",
"present jul",
"date",
"united",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"llc name",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"found",
"pattern match",
"mitre att",
"show technique",
"ck matrix",
"ascii text",
"href",
"show process",
"file",
"general",
"local",
"path",
"memory dumping",
"entries",
"icmp delphi",
"showing",
"delete",
"yara detections",
"windows nt",
"wow64",
"khtml",
"gecko",
"dns query",
"packing t1045",
"ransom",
"cve",
"palantir",
"remote",
"graham"
],
"references": [
"Amnesty.org | remote.amnesty.org",
"tulach.cc",
"Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP",
"Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http",
"Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available",
"Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi",
"Delphi This program must be run under Win32 Compilers",
"More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de",
"http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}",
"Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey",
"http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co",
"ipv4bot.whatismyipaddress.com",
"helloprismatic.com",
"https://palantir-staging.staging.candidate.app.paulsjob.ai/",
"Brian Sabey",
"Christopher P. \u2018Buzz\u2019 Ahmann"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "Ransom:Win32/GandCrab",
"display_name": "Ransom:Win32/GandCrab",
"target": "/malware/Ransom:Win32/GandCrab"
},
{
"id": "CVE-2023-2868",
"display_name": "CVE-2023-2868",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 429,
"FileHash-SHA1": 341,
"FileHash-SHA256": 2766,
"URL": 6976,
"domain": 1151,
"CVE": 2,
"email": 3,
"hostname": 2913,
"SSLCertFingerprint": 4
},
"indicator_count": 14585,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "91 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695ea667a062ed6688b104ab",
"name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ",
"description": "",
"modified": "2026-01-07T18:31:03.104000",
"created": "2026-01-07T18:31:03.104000",
"tags": [
"active",
"type win32",
"exe size",
"first seen",
"malicious avg",
"win32",
"gdata",
"dynamicloader",
"fe ff",
"high",
"write c",
"data",
"x00bx00",
"uswv",
"write",
"redline",
"stream",
"guard",
"malware",
"push",
"local",
"crazyfrost",
"adversarial",
"hacker",
"extraction",
"enter sc",
"data upload",
"extre data",
"included iocs",
"url http",
"url https",
"include review",
"exclude sugges",
"frost security",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"united",
"flag",
"contacted",
"http traffic",
"file defense",
"mitre att",
"ck techniques",
"evasion att",
"belize",
"div div",
"passive dns",
"link",
"ipv4 add",
"url analysis",
"urls",
"files",
"meta",
"ddos",
"indicators show",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"hostname",
"types",
"hosanna",
"x show",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1036",
"capture",
"cookie",
"palantir",
"indicator role",
"active related",
"description",
"trump supporter",
"types of",
"germany",
"china",
"netherlands",
"https",
"notice",
"billions",
"stop",
"boobs130432 no",
"expiration",
"location poland",
"asn as29522",
"learn more",
"domain",
"foundry",
"hallrender",
"brian sabey",
"tam legal",
"christopher p ahmann",
"palantir",
"quasi government",
"pentagon"
],
"references": [
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"http://advocate-smyslova.ru/tsara-brashears/",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"http://orangeporntube.net/tsara-brashears.html",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://videolal.com/tsara-brashears-dead.html",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"http://www.tryporn.net/seach/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashearsL",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://orangeporntube.net/tsara-brashears.html",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"https://youjizz.sex/tsara-brashears.html",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"https://www.xvxx.me/search/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.sweetheartvideo.com/tsara-brashear",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.bukaporn.net/trend/tsara-brashears/",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://mom2fuck.mobi/tsara-brashears.html",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"Targeting Tsara Brasheras and associated",
"Targeting Candace Owens"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Government",
"Defense",
"Healthcare"
],
"TLP": "green",
"cloned_from": "692897a64c0e255409b5a67e",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3709,
"hostname": 1109,
"FileHash-SHA256": 2872,
"FileHash-MD5": 214,
"FileHash-SHA1": 203,
"domain": 557
},
"indicator_count": 8664,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "101 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695ea6590a50f71a156c9a7f",
"name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ",
"description": "",
"modified": "2026-01-07T18:30:49.442000",
"created": "2026-01-07T18:30:49.442000",
"tags": [
"active",
"type win32",
"exe size",
"first seen",
"malicious avg",
"win32",
"gdata",
"dynamicloader",
"fe ff",
"high",
"write c",
"data",
"x00bx00",
"uswv",
"write",
"redline",
"stream",
"guard",
"malware",
"push",
"local",
"crazyfrost",
"adversarial",
"hacker",
"extraction",
"enter sc",
"data upload",
"extre data",
"included iocs",
"url http",
"url https",
"include review",
"exclude sugges",
"frost security",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"united",
"flag",
"contacted",
"http traffic",
"file defense",
"mitre att",
"ck techniques",
"evasion att",
"belize",
"div div",
"passive dns",
"link",
"ipv4 add",
"url analysis",
"urls",
"files",
"meta",
"ddos",
"indicators show",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"hostname",
"types",
"hosanna",
"x show",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1036",
"capture",
"cookie",
"palantir",
"indicator role",
"active related",
"description",
"trump supporter",
"types of",
"germany",
"china",
"netherlands",
"https",
"notice",
"billions",
"stop",
"boobs130432 no",
"expiration",
"location poland",
"asn as29522",
"learn more",
"domain",
"foundry",
"hallrender",
"brian sabey",
"tam legal",
"christopher p ahmann",
"palantir",
"quasi government",
"pentagon"
],
"references": [
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"http://advocate-smyslova.ru/tsara-brashears/",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"http://orangeporntube.net/tsara-brashears.html",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://videolal.com/tsara-brashears-dead.html",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"http://www.tryporn.net/seach/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashearsL",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://orangeporntube.net/tsara-brashears.html",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"https://youjizz.sex/tsara-brashears.html",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"https://www.xvxx.me/search/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.sweetheartvideo.com/tsara-brashear",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.bukaporn.net/trend/tsara-brashears/",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://mom2fuck.mobi/tsara-brashears.html",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"Targeting Tsara Brasheras and associated",
"Targeting Candace Owens"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Government",
"Defense",
"Healthcare"
],
"TLP": "green",
"cloned_from": "692897a64c0e255409b5a67e",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3709,
"hostname": 1109,
"FileHash-SHA256": 2872,
"FileHash-MD5": 214,
"FileHash-SHA1": 203,
"domain": 557
},
"indicator_count": 8664,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "101 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6935d7d4979c94d296e4b033",
"name": "New Exploits | CVE\u2019s | 12.07.2025",
"description": "",
"modified": "2026-01-06T00:03:32.099000",
"created": "2025-12-07T19:39:00.258000",
"tags": [],
"references": [
"Phishing: https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav/",
"https://www.redpacketsecurity.com/cve-alert-cve-2025-59230-microsoft-windows-10-version-1809/",
"https://www.redpacketsecurity.com/cve_alert_cve-2024-12847/",
"https://www.redpacketsecurity.com/cve_alert_cve-2025-4135/",
"https://www.redpacketsecurity.com/cve_alert_cve-2025-4140/",
"https://www.redpacketsecurity.com/cve_alert_cve-2025-4142/",
"https://www.redpacketsecurity.com/cve_alert_cve-2025-45492/",
"https://www.redpacketsecurity.com/firefox-0day-cve-2015-4495/"
],
"public": 1,
"adversary": "Coinbase Cartel",
"targeted_countries": [
"United States of America",
"Bangladesh",
"Sweden",
"Japan"
],
"malware_families": [
{
"id": "Exploit:Linux/CVE-2017-17215",
"display_name": "Exploit:Linux/CVE-2017-17215",
"target": "/malware/Exploit:Linux/CVE-2017-17215"
},
{
"id": "Exploit:JS/CVE-2014-0322",
"display_name": "Exploit:JS/CVE-2014-0322",
"target": "/malware/Exploit:JS/CVE-2014-0322"
},
{
"id": "CVE-2015-4495",
"display_name": "CVE-2015-4495",
"target": null
},
{
"id": "CVE-2024-12847",
"display_name": "CVE-2024-12847",
"target": null
},
{
"id": "CVE-2025-11727",
"display_name": "CVE-2025-11727",
"target": null
},
{
"id": "CVE-2025-4135",
"display_name": "CVE-2025-4135",
"target": null
},
{
"id": "CVE-2025-4140",
"display_name": "CVE-2025-4140",
"target": null
},
{
"id": "CVE-2025-4142",
"display_name": "CVE-2025-4142",
"target": null
},
{
"id": "CVE-2025-45492",
"display_name": "CVE-2025-45492",
"target": null
},
{
"id": "CVE-2025-59230",
"display_name": "CVE-2025-59230",
"target": null
}
],
"attack_ids": [
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1482",
"name": "Domain Trust Discovery",
"display_name": "T1482 - Domain Trust Discovery"
}
],
"industries": [
"Education"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 523,
"CVE": 10,
"domain": 44,
"hostname": 149,
"FileHash-MD5": 30,
"FileHash-SHA1": 21,
"FileHash-SHA256": 133
},
"indicator_count": 910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69314926519256e3ef0a9358",
"name": "BeeLineRouter.Net \u2022 Apple Access",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:41:06.657000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"FileHash-SHA256": 3634,
"URL": 5839,
"CVE": 2,
"domain": 1048,
"email": 15,
"hostname": 1944,
"SSLCertFingerprint": 2
},
"indicator_count": 13089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69314920e287845f6b36a265",
"name": "BeeLineRouter.Net \u2022 Apple Access",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:41:04.190000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"FileHash-SHA256": 3634,
"URL": 5839,
"CVE": 2,
"domain": 1048,
"email": 15,
"hostname": 1944,
"SSLCertFingerprint": 2
},
"indicator_count": 13089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "693148dc0eb85adc8edfe1a2",
"name": "BeeLineRouter.Net \u2022 Isolated / Apple Baxkdoor",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:39:56.180000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1049,
"URL": 5839,
"hostname": 1944,
"FileHash-SHA256": 3634,
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"CVE": 2,
"email": 15,
"SSLCertFingerprint": 2
},
"indicator_count": 13090,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69312c4db6fe7eb34abd179d",
"name": "BeeLineRouter.Net \u2022 Apple \u2022 Worms \u2022 Ransom \u2022 SpyWare",
"description": "Direct- remotely accesses iOS devices. Same threat actors. Further research warranted.| \n\n#theyswarm #apple #worms #spyware #ransom #quasi",
"modified": "2026-01-03T05:02:11.376000",
"created": "2025-12-04T06:38:05.504000",
"tags": [
"worm",
"readme.exe",
"foto.pif",
"z1nic.exe",
"dynamicloader",
"high",
"windows",
"checks",
"named pipe",
"http traffic",
"ids detections",
"yara detections",
"alerts",
"launch",
"defense evasion",
"ta0005",
"files",
"msie",
"next dropped",
"process name",
"pe32",
"intel",
"ms windows",
"unknown",
"united",
"tlsv1",
"as14618",
"top source",
"top destination",
"port",
"destination",
"source source",
"matches rule",
"hidden file",
"extension",
"connection",
"http vary",
"tulach",
"url https",
"indicator role",
"active related",
"ipv4",
"url http",
"macintosh",
"intel mac",
"os x",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"bq dec",
"virtool",
"win32mydoom dec",
"trojan",
"win32cve dec",
"avast avg",
"mtb dec",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"ff d5",
"yara rule",
"ascii text",
"f0 ff",
"eb e1",
"write",
"malware",
"suspicious",
"observed dns",
"query",
"exploits",
"sid name",
"malware cve",
"exif data",
"show",
"value exe",
"next",
"all ipv4",
"pulse pulses",
"passive dns",
"urls",
"reverse dns",
"location united",
"america flag",
"ashburn",
"status",
"name servers",
"ip address",
"showing",
"domain",
"files ip",
"windows nt",
"slcc2",
"media center",
"medium",
"simda",
"internal",
"local",
"write c",
"domain add",
"ip whois",
"registrar",
"hostname",
"present jul",
"unknown ns",
"present dec",
"music",
"servers",
"hostname add",
"pulse submit",
"url analysis",
"aaaa",
"backdoor",
"entries",
"found",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"record value",
"emails",
"win32",
"mtb may",
"invalid url",
"ransom",
"trojanspy",
"msil",
"akamai",
"expiration date",
"body html",
"present nov",
"url add",
"http",
"files domain",
"files related",
"pulses none",
"related tags",
"present sep",
"present oct",
"flag",
"analysis tip",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"date",
"domain address",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"network traffic",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"t1566",
"submitted url",
"t1204",
"learn",
"name tactics",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"pattern match",
"show process",
"t1071",
"t1057",
"general",
"path",
"brian sabey",
"christopher p ahmann",
"quasi",
"foundry",
"helix",
"remote attacks",
"hit men",
"sreredrum",
"pleh"
],
"references": [
"apple.com \u2022 getsupport.apple.com \u2022",
"https://www.idvd.eu/?cid=oas-japac-domains-applestore.com.cn/90.i.lolik.anyciona.patrolita.casse.897866 \u2022 oas-japac-domains-applestore.com.cn",
"http://beelinerouter.net/",
"Tulach - 114.114.114.114",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry.com \u2022 helix. com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/Fadok!rfn",
"display_name": "Worm:Win32/Fadok!rfn",
"target": "/malware/Worm:Win32/Fadok!rfn"
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "Mydoom",
"display_name": "Mydoom",
"target": null
},
{
"id": "Win.Spyware.88778-2",
"display_name": "Win.Spyware.88778-2",
"target": null
},
{
"id": "Win.Malware.Delf-10008156-0",
"display_name": "Win.Malware.Delf-10008156-0",
"target": null
},
{
"id": "Trojan.MyDoom/Muldrop",
"display_name": "Trojan.MyDoom/Muldrop",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1578",
"name": "Modify Cloud Compute Infrastructure",
"display_name": "T1578 - Modify Cloud Compute Infrastructure"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1584.003",
"name": "Virtual Private Server",
"display_name": "T1584.003 - Virtual Private Server"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 422,
"FileHash-SHA1": 316,
"FileHash-SHA256": 1950,
"domain": 899,
"URL": 6117,
"email": 21,
"hostname": 2037,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 11765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692f04e9fa3d782118e94aac",
"name": "LevelBlue - Open Threat Exchange - Delete AppDeployed",
"description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.",
"modified": "2026-01-01T15:04:20.907000",
"created": "2025-12-02T15:25:29.158000",
"tags": [
"levelblue",
"open threat",
"dynamicloader",
"tlsv1",
"high",
"msie",
"windows nt",
"delete c",
"fwlink",
"stream",
"powershell",
"write",
"malware",
"local",
"united",
"flag",
"date",
"server",
"crazy egg",
"name server",
"gmt flag",
"domain address",
"markmonitor",
"enom",
"sugges",
"onv incude",
"data upload",
"find s",
"extraction",
"types",
"type",
"indicator",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"contacted hosts",
"search",
"entries",
"read c",
"medium",
"memcommit",
"tls handshake",
"failure",
"module load",
"next",
"execution",
"dock",
"capture",
"persistence",
"copy",
"unknown",
"suricata alert",
"et info",
"bad traffic",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"file defense",
"write c",
"x02x82",
"xe6x15c6",
"x16f",
"xc0xc0xc0",
"revengerat",
"guard",
"service",
"encrypt",
"entries yara",
"delphi",
"win32",
"jordan",
"delete app"
],
"references": [
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Vmprotect-9880726-0",
"display_name": "Win.Malware.Vmprotect-9880726-0",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Legal"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4624,
"FileHash-SHA256": 2021,
"FileHash-MD5": 51,
"FileHash-SHA1": 20,
"SSLCertFingerprint": 10,
"hostname": 1433,
"domain": 728
},
"indicator_count": 8887,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692e8cd886e0bb692e8a9d08",
"name": "Blocker Ransomware affecting Apple and iCloud | Injection",
"description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.",
"modified": "2026-01-01T06:01:02.583000",
"created": "2025-12-02T06:53:12.823000",
"tags": [
"url https",
"url http",
"domain",
"fh no",
"ipv4",
"united",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"mitre att",
"ck id",
"ck matrix",
"ascii text",
"href",
"network traffic",
"general",
"local",
"click",
"strings",
"learn",
"name tactics",
"suspicious",
"informative",
"found",
"command",
"adversaries",
"spawns",
"defense evasion",
"dynamicloader",
"windows nt",
"wow64",
"khtml",
"gecko",
"write c",
"unknown",
"virtool",
"write",
"defender",
"malware",
"delete",
"alerts",
"backdoor",
"high",
"ip address",
"t1045",
"packing",
"t1055",
"injection",
"t1060",
"run keys",
"startup",
"folder",
"t1119",
"t1027",
"tools",
"families",
"mirai",
"indicator role",
"active related",
"hackers",
"ahmann",
"usual suspects"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Backdoor:Win32/Drixed",
"display_name": "Backdoor:Win32/Drixed",
"target": "/malware/Backdoor:Win32/Drixed"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
},
{
"id": "Ransom:Win32/Blocker.NN!MTB",
"display_name": "Ransom:Win32/Blocker.NN!MTB",
"target": "/malware/Ransom:Win32/Blocker.NN!MTB"
},
{
"id": "Unix.Trojan.Mirai-7135937-0",
"display_name": "Unix.Trojan.Mirai-7135937-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1066",
"name": "Indicator Removal from Tools",
"display_name": "T1066 - Indicator Removal from Tools"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1590.002",
"name": "DNS",
"display_name": "T1590.002 - DNS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 234,
"FileHash-SHA1": 219,
"FileHash-SHA256": 841,
"URL": 2606,
"domain": 298,
"hostname": 772,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 4973,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692e7870eb1d3db6241c7771",
"name": "Apple iCloud Stealer \u2022 Mirai",
"description": "*Mirai - Absolutely adventurous attack! They don\u2019t forget. |\nObserved. Targeted iPhone remotely attacked. RMS user? . Fully updated device. with only one iOS application downloaded. Chaerged iOS was powered on to research suspicious activity. \nThe phone was powered off after glitched. Reset itself , presents a new device , icons and apps changed. Passwords stolen. Barely noticeable side drive by. iCloud unavailable. Hackers are logging in frequently, I cannot change password. The cloud is not accessible. Device has some accounts with threat research on it. Hacker is wiping. Hackers are answering the phone. Phone does not ring for other team members. Much more. Device unlocked since 10/2024. Fixed , hacked repeatedly.\nUsed to examine hacker behavior. It\u2019s pretty sad. The ability for this level of hacker to infect other devices around devices is high / risky. \n\nHosts contacted.",
"modified": "2026-01-01T04:03:48.354000",
"created": "2025-12-02T05:26:08.084000",
"tags": [
"no expiration",
"url http",
"url https",
"iocs",
"domain",
"enter source",
"url or",
"urls",
"url add",
"http",
"files domain",
"files related",
"related tags",
"present dec",
"present nov",
"united",
"ip address",
"tpp wholesale",
"pty ltd",
"unknown soa",
"passive dns",
"ostname add",
"files",
"files ip",
"address",
"related nids",
"files location",
"australia flag",
"gmt server",
"unix",
"gmt etag",
"avast avg",
"scans record",
"value",
"mirai",
"ipv4",
"reverse dns",
"australia asn",
"dns resolutions",
"domains top",
"level",
"twitter",
"present jun",
"present oct",
"present jul",
"proxy error",
"web address",
"search",
"apache",
"next associated",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"mtb oct",
"toolbar",
"ransom",
"click",
"yara detections",
"alerts",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"analysis date",
"file score",
"delphi",
"dns query",
"dyndns domain",
"delphi alerts",
"contacted",
"pulses",
"date june",
"dynamicloader",
"medium",
"high",
"yara rule",
"write c",
"win32",
"entries",
"write",
"guard",
"next",
"code",
"malware",
"local",
"unknown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"javascript",
"spawns",
"ck techniques",
"initial access",
"defense evasion",
"ltd flag",
"contacted hosts",
"network related",
"response risk",
"mitre att",
"detection",
"detected",
"external",
"detected text",
"general",
"possible http",
"xss attempt",
"local source",
"possible",
"sinkhole cookie",
"value snkz",
"forbidden tls",
"virtool",
"copy",
"geodata",
"hacking",
"cloud id"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7135937-0",
"display_name": "Unix.Trojan.Mirai-7135937-0",
"target": null
},
{
"id": "Ransom:Win32/Blocker.NN!MTB",
"display_name": "Ransom:Win32/Blocker.NN!MTB",
"target": "/malware/Ransom:Win32/Blocker.NN!MTB"
},
{
"id": "VirTool:Win32/Injector.CL",
"display_name": "VirTool:Win32/Injector.CL",
"target": "/malware/VirTool:Win32/Injector.CL"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1066",
"name": "Indicator Removal from Tools",
"display_name": "T1066 - Indicator Removal from Tools"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1647,
"FileHash-MD5": 196,
"FileHash-SHA1": 187,
"FileHash-SHA256": 450,
"domain": 211,
"hostname": 779
},
"indicator_count": 3470,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692e2d950ac7d1e2a3454a4f",
"name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack",
"description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers",
"modified": "2025-12-31T23:04:59.378000",
"created": "2025-12-02T00:06:45.807000",
"tags": [
"iocs",
"drop",
"network traffic",
"ck id",
"mitre att",
"ck matrix",
"network related",
"detected",
"t1566",
"t1204",
"united",
"click",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"learn",
"suspicious",
"informative",
"name tactics",
"adversaries",
"command",
"initial access",
"spawns",
"found",
"binary file",
"t1189",
"regsetvalueexa",
"regdword",
"post http",
"medium",
"high",
"regbinary",
"loader",
"dock",
"write",
"malware",
"unknown",
"romania unknown",
"present may",
"msie",
"chrome",
"body",
"passive dns",
"ip address",
"present jun",
"welcome",
"accept",
"encrypt",
"gmt content",
"ipv4 add",
"url analysis",
"urls",
"files",
"reverse dns",
"unknown aaaa",
"certificate",
"hostname add",
"error",
"flag",
"domain address",
"contacted hosts",
"type",
"india unknown",
"record value",
"body html",
"head title",
"title",
"entries",
"read c",
"high defense",
"evasion",
"yara detections",
"virtool",
"win32",
"ahmann",
"hacker group",
"law firm",
"order",
"google",
"smart assembly"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "VirTool:MSIL/Injector.BF",
"display_name": "VirTool:MSIL/Injector.BF",
"target": "/malware/VirTool:MSIL/Injector.BF"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1087.003",
"name": "Email Account",
"display_name": "T1087.003 - Email Account"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 115,
"FileHash-SHA1": 112,
"FileHash-SHA256": 589,
"URL": 1795,
"SSLCertFingerprint": 3,
"domain": 319,
"hostname": 847,
"email": 1
},
"indicator_count": 3781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692e1b4122a419384f1add7f",
"name": "Cutwail Trojan DownLoader | Driveby compromises | Redirect",
"description": "Cutwail Trojan DownLoader | Driveby comprises | Malicious Redirects.\n\nSuspicious redirects from Google homepage to \u2018Doodle\u2019s\nHeavy , ongoing cyber attack. Affects, iOS, Android, Cellular networks (global)\n\nI\u2019m hoping OTX will fully pulse. Indicators will be pulsed fully relying on OTX auto\npulse alone. No references or input from me.",
"modified": "2025-12-31T22:02:44.679000",
"created": "2025-12-01T22:48:33.510000",
"tags": [
"filehashmd5",
"filehashsha256",
"sha256",
"filehashsha1",
"indicator role",
"title added",
"active related",
"type indicator",
"role title",
"added active",
"related pulses",
"dynamicloader",
"medium",
"show",
"entries",
"dynamic",
"pe section",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"copy",
"write",
"flag",
"misc activity",
"et info",
"cloudflare dns",
"over https",
"windir",
"openurl c",
"prefetch2",
"dns requests",
"domain address",
"google homepage",
"html",
"binary file",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"matched",
"redirect",
"t1189",
"learn",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"ck techniques",
"alert",
"potential ip",
"general",
"click",
"united",
"analysis tip",
"analysis",
"tor analysis",
"date",
"c pe",
"data upload",
"extraction",
"iocs",
"manually add",
"network traffic",
"detected",
"t1566",
"submitted url",
"t1204"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 95,
"FileHash-SHA1": 95,
"FileHash-SHA256": 183,
"hostname": 227,
"domain": 83,
"URL": 575
},
"indicator_count": 1258,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692e13386db2fdd32faf8999",
"name": "iOS Exploits \u2022\u2019 Cutwail Botnet - Telef\u00f3nica, S.A.",
"description": "Cutwail Botnet has a long history as a spambot. Sends malicious communications, may take system root. Cyber criminals.\n\n[OTX auto populated - Adversaries may be able to gain access to a victim's network by browsing a website over the normal course of browsing, but only if the victim is aware of the target's location and settings.]",
"modified": "2025-12-31T21:02:25",
"created": "2025-12-01T22:14:16.628000",
"tags": [
"canada canada",
"united",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"t1590 gather",
"victim network",
"mitre att",
"ck techniques",
"contacted hosts",
"ip address",
"unknown",
"tls handshake",
"failure",
"forbidden",
"msie",
"windows nt",
"tlsv1",
"search",
"show",
"copy",
"write",
"malware",
"next"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2784,
"hostname": 2271,
"URL": 6612,
"FileHash-SHA256": 956,
"FileHash-MD5": 102,
"FileHash-SHA1": 100,
"SSLCertFingerprint": 10
},
"indicator_count": 12835,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692e131f210ea9c656748c0c",
"name": "iOS Exploits \u2022\u2019 Cutwail Botnet - Telef\u00f3nica, S.A.",
"description": "Cutwail Botnet has a long history as a spambot. Sends malicious communications, may take system root. Cyber criminals.\n\n[OTX auto populated - Adversaries may be able to gain access to a victim's network by browsing a website over the normal course of browsing, but only if the victim is aware of the target's location and settings.]",
"modified": "2025-12-31T21:02:25",
"created": "2025-12-01T22:13:50.416000",
"tags": [
"canada canada",
"united",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"t1590 gather",
"victim network",
"mitre att",
"ck techniques",
"contacted hosts",
"ip address",
"unknown",
"tls handshake",
"failure",
"forbidden",
"msie",
"windows nt",
"tlsv1",
"search",
"show",
"copy",
"write",
"malware",
"next"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2784,
"hostname": 2271,
"URL": 6612,
"FileHash-SHA256": 956,
"FileHash-MD5": 102,
"FileHash-SHA1": 100,
"SSLCertFingerprint": 10
},
"indicator_count": 12835,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692d02f096f3ec8b5b507496",
"name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace",
"description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.",
"modified": "2025-12-31T02:01:50.101000",
"created": "2025-12-01T02:52:32.483000",
"tags": [
"business",
"enterprise",
"drive",
"english",
"google drive",
"try drive",
"business small",
"workspace",
"sign",
"strong",
"find",
"life",
"tools",
"protect",
"cloud",
"simple",
"android",
"indonesia",
"video",
"mb download",
"shared may",
"shared",
"learn",
"drive drive",
"name date",
"javascript",
"dynamicloader",
"medium",
"minimal headers",
"high",
"observed get",
"get http",
"united",
"yara rule",
"http",
"write",
"guard",
"malware",
"read c",
"ms windows",
"intel",
"png image",
"rgba",
"pe32",
"get na",
"explorer",
"music",
"virlock",
"media",
"ho chi",
"minh city",
"viet nam",
"storage company",
"limited",
"google",
"address as",
"luutruso",
"cloudflar",
"domain",
"asn15169",
"asn56153",
"asn13335",
"cisco",
"umbrella rank",
"apex domain",
"url https",
"kb stylesheet",
"kb font",
"kb image",
"image",
"kb script",
"november",
"resource path",
"size",
"type mimetype",
"primary request",
"redirect chain",
"kb document",
"urls",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"t1590 gather",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"domain address",
"rsdsq jfu",
"ollydbg ollydbg",
"wireshark",
"external",
"binary file",
"mitre att",
"ck matrix",
"aaaa",
"cong ty",
"co phan",
"code",
"province hcm",
"files",
"ip address",
"request",
"flag",
"country",
"contacted hosts",
"process details",
"link initial",
"t1480 execution",
"domains",
"moved",
"gmt content",
"all ipv4",
"url analysis",
"location viet",
"title",
"error",
"problem",
"url add",
"related nids",
"files location",
"flag united",
"development att",
"name server",
"markmonitor",
"localappdata",
"programfiles",
"edge",
"hyundai",
"social engineering",
".mil",
"hackers",
"phishing eml",
"summary",
"cisco umbrella",
"google safe",
"browsing",
"current dns",
"a record",
"ip information",
"ipasns ip",
"detail domain",
"domain tree",
"links apex",
"transfer",
"b script",
"b stylesheet",
"frame b830",
"b document",
"value",
"december",
"degurafregistry",
"gat object",
"jsl object",
"gapijstiming",
"iframe function",
"domainpath name",
"nid value",
"source level",
"files domain",
"files related",
"tags",
"related tags",
"virustotal",
"foundry",
"pulse otx",
"dark",
"vietnam",
"present aug",
"present nov",
"present jul",
"present sep",
"unknown aaaa",
"search",
"name servers",
"present oct",
"trojan",
"data upload",
"extraction",
"se https",
"include review",
"exclude sugges",
"find s",
"failed",
"typ don",
"faith",
"study",
"romeo\u2019s",
"juliettes",
"femme fatales",
"strategy",
"honey pot",
"honey traps",
"spy",
"helix",
"anons",
"passive dns",
"pulse pulses",
"files ip",
"address",
"location united",
"asn as400519",
"whois registrar",
"ms defender",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"cameras",
"cams",
"spycam",
"botnet",
"vietnam",
"company limited",
"dnssec",
"status",
"india unknown",
"present may",
"espionage",
"hostname add",
"generic",
"cnc activity",
"backdoor",
"ipv4",
"anonsecbotnet",
"iptv"
],
"references": [
"drive.google.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"https://account.helix.com/activate/start",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Virus.Virlock-6804475-0",
"display_name": "Win.Virus.Virlock-6804475-0",
"target": null
},
{
"id": "Win.Malware.Bzub-6727003-0",
"display_name": "Win.Malware.Bzub-6727003-0",
"target": null
},
{
"id": "Win.Trojan.Generic-9801687-0",
"display_name": "Win.Trojan.Generic-9801687-0",
"target": null
},
{
"id": "NID",
"display_name": "NID",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "Win.Dropper.njRAT-10015886-0",
"display_name": "Win.Dropper.njRAT-10015886-0",
"target": null
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ GC!",
"display_name": "Backdoor:MSIL/Bladabindi.AJ GC!",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!"
},
{
"id": "Win.Packed.Generic-9795615-0\t.",
"display_name": "Win.Packed.Generic-9795615-0\t.",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ",
"display_name": "Backdoor:MSIL/Bladabindi.AJ",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ"
},
{
"id": "Win.Packed.Fecn-7077459-0",
"display_name": "Win.Packed.Fecn-7077459-0",
"target": null
},
{
"id": "Trojan:MSIL/Ranos.A",
"display_name": "Trojan:MSIL/Ranos.A",
"target": "/malware/Trojan:MSIL/Ranos.A"
},
{
"id": "Win.Trojan.Generic-6417450-0",
"display_name": "Win.Trojan.Generic-6417450-0",
"target": null
},
{
"id": "ALF:Backdoor:MSIL/Noancooe.KA",
"display_name": "ALF:Backdoor:MSIL/Noancooe.KA",
"target": null
},
{
"id": "Win.Packed.Msilperseus-9956592-0",
"display_name": "Win.Packed.Msilperseus-9956592-0",
"target": null
},
{
"id": "Trojan:MSIL/ClipBanker",
"display_name": "Trojan:MSIL/ClipBanker",
"target": "/malware/Trojan:MSIL/ClipBanker"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1039",
"name": "Data from Network Shared Drive",
"display_name": "T1039 - Data from Network Shared Drive"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1567.002",
"name": "Exfiltration to Cloud Storage",
"display_name": "T1567.002 - Exfiltration to Cloud Storage"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1911,
"hostname": 714,
"FileHash-SHA256": 1304,
"FileHash-MD5": 159,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 2,
"domain": 421,
"CVE": 1,
"email": 4
},
"indicator_count": 4587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "109 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692a86b454eea18b993a2078",
"name": "DC RAT Injection | Endgame Systems | Lazarus Group related",
"description": "Monitoring. MITRE ATT&CK (T1057) Monitored target/s. DNS requests. Property discovery \n\nRelated to Lazarus Groups expansion",
"modified": "2025-12-29T03:02:56.986000",
"created": "2025-11-29T05:37:56.021000",
"tags": [
"ukraine",
"win32",
"dynamicloader",
"ssl cert",
"write c",
"asyncrat",
"various rat",
"dcrat",
"write",
"guard",
"malware",
"all ipv4",
"ukraine asn",
"dns resolutions",
"domains top",
"level",
"read c",
"memcommit",
"user execution",
"delete",
"msie",
"windows nt",
"dock",
"execution",
"masking",
"yara rule",
"high",
"windows",
"msvisualcpp60",
"process",
"intel",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"flag",
"ukraine ukraine",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"dynu",
"mitre att",
"ck matrix",
"ascii text",
"pattern match",
"network traffic",
"t1071",
"t1057",
"general",
"local",
"path",
"beginstring",
"segoe ui",
"null",
"refresh",
"body",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart"
],
"references": [
"https://hybrid-analysis.com/sample/64e591d43f920a5194806bba9da40e0344db5333cd773da4df4f27259222529d/692a7e373e637b291e0a0957",
"Statutory Masking Enabled - a domain registrar is hiding the public contact information for a domains",
"registrant in its WHOIS record, often due to regulations like GDPR or ICANN policies.",
"MITRE ATT&CK (T1057) Monitoring Target/s. Can be reviewed in Hybrid-Analysis sample."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/AmsiTamper.B",
"display_name": "ALF:HeraklezEval:Trojan:Win32/AmsiTamper.B",
"target": null
},
{
"id": "Win.Trojan.DcRat-10039889-0",
"display_name": "Win.Trojan.DcRat-10039889-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "TA0039",
"name": "Remote Service Effects",
"display_name": "TA0039 - Remote Service Effects"
},
{
"id": "TA0038",
"name": "Network Effects",
"display_name": "TA0038 - Network Effects"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 482,
"URL": 819,
"FileHash-SHA256": 274,
"domain": 102,
"email": 1,
"FileHash-MD5": 73,
"FileHash-SHA1": 65,
"SSLCertFingerprint": 1
},
"indicator_count": 1817,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "111 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6928f8d9e4222a6a219d785e",
"name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks",
"description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]",
"modified": "2025-12-28T00:04:06.179000",
"created": "2025-11-28T01:20:25.401000",
"tags": [
"dynamicloader",
"json",
"ascii text",
"high",
"data",
"x90uxa4xf8",
"cape",
"stream",
"guard",
"write",
"trojan",
"redline",
"malware",
"push",
"local",
"injection_inter_process",
"recon_fingerprint",
"persistence_ads",
"process_creation_suspicious_location",
"infostealer_browser",
"infostealer_cookies",
"stealth_file",
"cape_detected_threat",
"antivm_generic_bios",
"cape_extracted_content",
"united",
"mtb jul",
"a domains",
"aaaa",
"443 ma86400",
"servers",
"win32upatre jul",
"virtool",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"present mar",
"fastest privacy",
"first dns",
"win32",
"trojandropper",
"passive dns",
"mtb nov",
"ipv4 add",
"asn as13335",
"dns resolutions",
"domain",
"data upload",
"extraction",
"yara",
"troja yara",
"trojar data",
"virto",
"worn data",
"included iocs",
"manually add",
"resolved ips",
"ta0002",
"evasion ta0005",
"tr shared",
"modules",
"files",
"infor",
"t1027",
"process t1057",
"community score",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"name server",
"date",
"cloudflare",
"data protected",
"misc activity",
"et info",
"dns requests",
"domain address",
"gmt flag",
"techtarget",
"server",
"et policy",
"prefetch2",
"t1179 hooking",
"access windows",
"installs",
"mitre att",
"ck techniques",
"click",
"windir",
"country",
"contacted hosts",
"ip address",
"process details",
"contacted",
"http traffic",
"suricata alerts",
"event category",
"found"
],
"references": [
"Malware : ClipBanker Entity: Crazy Frost",
"www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Services : GoogleChromeElevationService = Delete",
"Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
"Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
"Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
"Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
"Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
"Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
"Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
"CS IDS: Matches rule (http_inspect) invalid status line",
"CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
"jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube/"
],
"public": 1,
"adversary": "Crazy Frost",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Trojan.Disfa/downloader10",
"display_name": "Trojan.Disfa/downloader10",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "Rozena",
"display_name": "Rozena",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1464",
"name": "Jamming or Denial of Service",
"display_name": "T1464 - Jamming or Denial of Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 295,
"FileHash-SHA1": 217,
"FileHash-SHA256": 1887,
"URL": 3263,
"domain": 597,
"hostname": 1085,
"email": 2,
"CVE": 1
},
"indicator_count": 7347,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "112 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692897a64c0e255409b5a67e",
"name": "Frost Security | Attorneys | Government | Crazy",
"description": "Dangerous. Being abused by the usual quasi government suspects. Affecting many targets including Candace Owens. Who can you turn to when your own government is 100% corrupt. \n\nCall me crazy. Idk. DJT was likely shot with a High Velocity Paint Ball. Why isn\u2019t anyone interviewing the families of the 3 \u2018allegedly\u2019 successfully assassinated. \n\nIs Charlie Kirk Dead or in hiding, an alien that doesn\u2019t bleed? \n\nLook it up. High Velocity Paint Ball is a very intensely underrated, nharsky spoken about sport enjoyed by gun enthusiast , snipers , military, civilians. Something weird is going on and it\u2019s actually obvious because they just want results.\n There\u2019s more disturbing things to come. I think more people are being taken out this way than we know.\nBy now I\u2019m under too much surveillance to just leave out casually. \nTerrifying for sure. I know Hos of the Bible is bigger.",
"modified": "2025-12-27T17:01:06.155000",
"created": "2025-11-27T18:25:42.570000",
"tags": [
"active",
"type win32",
"exe size",
"first seen",
"malicious avg",
"win32",
"gdata",
"dynamicloader",
"fe ff",
"high",
"write c",
"data",
"x00bx00",
"uswv",
"write",
"redline",
"stream",
"guard",
"malware",
"push",
"local",
"crazyfrost",
"adversarial",
"hacker",
"extraction",
"enter sc",
"data upload",
"extre data",
"included iocs",
"url http",
"url https",
"include review",
"exclude sugges",
"frost security",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"united",
"flag",
"contacted",
"http traffic",
"file defense",
"mitre att",
"ck techniques",
"evasion att",
"belize",
"div div",
"passive dns",
"link",
"ipv4 add",
"url analysis",
"urls",
"files",
"meta",
"ddos",
"indicators show",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"hostname",
"types",
"hosanna",
"x show",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1036",
"capture",
"cookie",
"palantir",
"indicator role",
"active related",
"description",
"trump supporter",
"types of",
"germany",
"china",
"netherlands",
"https",
"notice",
"billions",
"stop",
"boobs130432 no",
"expiration",
"location poland",
"asn as29522",
"learn more",
"domain",
"foundry",
"hallrender",
"brian sabey",
"tam legal",
"christopher p ahmann",
"palantir",
"quasi government",
"pentagon"
],
"references": [
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"http://advocate-smyslova.ru/tsara-brashears/",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"http://orangeporntube.net/tsara-brashears.html",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://videolal.com/tsara-brashears-dead.html",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"http://www.tryporn.net/seach/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashearsL",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://orangeporntube.net/tsara-brashears.html",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"https://youjizz.sex/tsara-brashears.html",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"https://www.xvxx.me/search/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.sweetheartvideo.com/tsara-brashear",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.bukaporn.net/trend/tsara-brashears/",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://mom2fuck.mobi/tsara-brashears.html",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"Targeting Tsara Brasheras and associated",
"Targeting Candace Owens"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Government",
"Defense",
"Healthcare"
],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3709,
"hostname": 1109,
"FileHash-SHA256": 2872,
"FileHash-MD5": 214,
"FileHash-SHA1": 203,
"domain": 557
},
"indicator_count": 8664,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "112 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68db395368d6c4042517f3f3",
"name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!",
"description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.",
"modified": "2025-12-27T15:01:22.545000",
"created": "2025-09-30T01:58:43.592000",
"tags": [
"http traffic",
"match info",
"http get",
"info performs",
"dns query",
"https http",
"mitre att",
"evasion ta0005",
"creates",
"info",
"oc0006 http",
"wininet c0005",
"resolved ips",
"get http",
"html document",
"unicode text",
"dynamicloader",
"fe ff",
"medium",
"x00bx00",
"uswv",
"k uswv",
"search",
"high",
"delete c",
"yara detections",
"redline",
"guard",
"write",
"united",
"present sep",
"aaaa",
"passive dns",
"urls",
"next associated",
"found",
"x content",
"hacktool",
"trojan",
"error",
"lowfi",
"win32",
"worm",
"ip address",
"mtb apr",
"ransom",
"virtool",
"ain add",
"directui",
"element",
"classinfobase",
"ccbase",
"hwndhost",
"yara rule",
"hpavvalue",
"qaejh",
"name servers",
"cryp",
"emails",
"next related",
"domain related",
"no expiration",
"url http",
"url https",
"indicator role",
"hostname",
"email",
"present jun",
"present aug",
"present jul",
"servers",
"title",
"encrypt",
"altsvc h3",
"date tue",
"acceptranges",
"reportto",
"server",
"gmt expires",
"gmt contenttype",
"script",
"expiresthu",
"maxage63072000",
"pragma",
"google safe",
"unknown ns",
"files",
"location united",
"asn as15169",
"trojandropper",
"susp",
"creation date",
"asn as133618",
"tags",
"related tags",
"indicator facts",
"backdoor",
"ipv4 add",
"click",
"artro",
"target saver",
"trojanspy",
"reverse dns",
"america flag",
"443 ma2592000",
"hostname add",
"verdict",
"present mar",
"present jan",
"present dec",
"present apr",
"ipv4",
"type indicator",
"role title",
"related pulses",
"iocs",
"moved",
"downloads",
"apple",
"microsoft",
"hexagonsystem",
"mastadon",
"status",
"twitter",
"gmt content",
"easyredir cache",
"v4 add",
"redacted for",
"privacy tech",
"privacy admin",
"registrar abuse",
"available from",
"algorithm",
"key identifier",
"x509v3 subject",
"entity",
"code",
"date",
"dnssec",
"showing",
"unknown aaaa",
"sha256",
"sha1",
"ascii text",
"ck id",
"show technique",
"ck matrix",
"meta",
"hybrid",
"general",
"local",
"path",
"strings",
"copy md5",
"copy sha1",
"copy sha256",
"certificate"
],
"references": [
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"mastodon.social",
"https://families.google/intl/pt-PT_ALL/familylink/",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"https://discuss.ai.google.dev/c/gemma/10",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"https://m.bigwetbutts.com/ tmi",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Mirai: simswap.in",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"target": null
},
{
"id": "Win.Ransomware.Bitman-9862733-0",
"display_name": "Win.Ransomware.Bitman-9862733-0",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Target Saver",
"display_name": "Target Saver",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Hacktool",
"display_name": "Hacktool",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Media",
"Legal",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2964,
"hostname": 1164,
"URL": 4334,
"domain": 956,
"FileHash-MD5": 476,
"FileHash-SHA1": 451,
"CVE": 1,
"email": 20,
"SSLCertFingerprint": 2
},
"indicator_count": 10368,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "112 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6927ed9849e14dfc59441aba",
"name": "ET MALWARE PPI User-Agent (InstallCapital) Targets media personality",
"description": "ET MALWARE PPI User-Agent (InstallCapital) Targets a media personality. Tip: Issues noticed when a fan attempted to maneuver through website. A blank page prevented fan from going or wanting to continue exploring the website given the recent content discussed on \u2018 The Candace Owen\u2019s\u2019 YouTube channel. I reviewed several shows over the past several months without noticing an issue. I\u2019ve never been to her website. I believe Candace Owens is likely promoting true information about being targeted. I experienced an issue re: Tucker Carlson prior to several allegations of being targeted. There is a \u2018List\u2019. It\u2019s seriously unsettling.",
"modified": "2025-12-26T00:03:48.113000",
"created": "2025-11-27T06:20:08.719000",
"tags": [
"installcap",
"ir ei",
"malware ppi",
"useragent",
"cap cure",
"ip unknown",
"udp include",
"top source",
"top destination",
"source source",
"dynamicloader",
"yara detections",
"dynamic",
"pe section",
"av detections",
"ids detections",
"ransom",
"code overlap",
"regdword",
"search",
"show",
"medium",
"post http",
"regbinary",
"gb st",
"salford o",
"virtool",
"malware",
"dock",
"loader",
"downloader",
"write",
"suspicious",
"win32"
],
"references": [
"Domain Targeted: https://candaceowens.com/",
"Detections ET MALWARE PPI User-Agent (InstallCapital)",
"Yara Detections : RansomWin32Stampado CodeOverlap TrojanWin32Genkrypet | CodeOverlap",
"Domains Contacted : kiss.oatmealscene.loan \u2022 won.channeltest.bid",
"IDS Detections : Win32/AdWare.ICLoader Variant Checkin Suspicious (Virtool:Win32/Obfuscator.AOY)",
"IDS Detections : User-Agent containing Loader Observed (Virtool:Win32/Obfuscator.AOY)",
"Yara Detections RansomWin32Stampado , TrojanWin32Genkrypet",
"Tucker Carlson Pulse : https://otx.alienvault.com/pulse/68c73fbd85dfbb4d41006ad1",
"Tucker Carlson : palander.stjernstrom.se \u2022 containers-chupalla.palantirfedstart.com",
"It\u2019s still illegal to murder , intimidate , harass or threaten harm. It\u2019s happening anyway.",
"It\u2019s not illegal to research , examine results, report , share or warn.",
"It seems as Palantir has taken over as Commander & Chief and US government infrastructure.",
"There has been an unsettling uptick in physical violence against one Colorado targets family."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALFPER:InstallCapital",
"display_name": "ALFPER:InstallCapital",
"target": null
},
{
"id": "Virtool:Win32/Obfuscator.AOY",
"display_name": "Virtool:Win32/Obfuscator.AOY",
"target": "/malware/Virtool:Win32/Obfuscator.AOY"
}
],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [
"Media"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 260,
"domain": 70,
"URL": 481,
"FileHash-SHA256": 166,
"FileHash-MD5": 31,
"FileHash-SHA1": 29
},
"indicator_count": 1037,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "114 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"",
"https://www.redpacketsecurity.com/firefox-0day-cve-2015-4495/",
"http://advocate-smyslova.ru/tsara-brashears/",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"Tipped: A targets AI and other cyber research findings.",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}",
"Yara Detections: is__elf",
"apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://otx.alienvault.com/indicator/hostname/pegasus.pahamify.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"IOCs.2026.2.csv",
"https://www.redpacketsecurity.com/cve_alert_cve-2024-12847/",
"Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca",
"inst.govelopscold.com",
"http://appleid.app",
"Yare: compromised_site_redirector_fromcharcode",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"https://prod.centurylinktechnology.com",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://discuss.ai.google.dev/c/gemma/10",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer",
"127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies",
"Alerts: infostealer_cookies antiav_detectfile",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"tulach.cc",
"Mirai",
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"Targeting Tsara Brasheras and associated",
"https://otx.alienvault.com/pulse/694898db3a9999fecfd893cb",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"TAGS: mtb yara name servers name tactics network traffic new browser next associated next",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"Tracking LummaC2 Infrastructure with Cats (byAlienVault) https://otx.alienvault.com/pulse/6839003a3028827e1ebbfb1a",
"apple.com \u2022 getsupport.apple.com \u2022",
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"https://image.emails.sonymusicfans.com/lib/fe9a12747566007d70/m/1/eb6e3ce4-7a7b-4435-a2cd-968f7277e6e0.png",
"https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226",
"DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil",
"https://www.sweetheartvideo.com/tsara-brashears",
"Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check",
"CloudFlare Domain: apple-dns.net",
"Contacted: newmethcnc.duckdns.org",
"Yara Detections : RansomWin32Stampado CodeOverlap TrojanWin32Genkrypet | CodeOverlap",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"fidelity-account.com e http://fidelity-account.com/fidelity/code.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"https://www.redpacketsecurity.com/cve_alert_cve-2025-4140/",
"177-231-69-38-static.reverse.queryfoundry.net",
"Looks like a Pegasus tracking sphere. All contacts and contacts, contacts tracked.",
"It\u2019s still illegal to murder , intimidate , harass or threaten harm. It\u2019s happening anyway.",
"direwolf-8b1a1bc476.staging.herokuappdev.com",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"7box.vip",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250",
"IP\u2019s Contacted: 172.64.41.3 63.140.62.27 162.159.140.165 23.199.75.66",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://aws.hirecar.net/",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"I apologize for the lack of reference.",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat",
"MITRE ATT&CK (T1057) Monitoring Target/s. Can be reviewed in Hybrid-Analysis sample.",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"Instagram.com",
"MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer",
"IDS Detections : User-Agent containing Loader Observed (Virtool:Win32/Obfuscator.AOY)",
"pandacookie2018.xyz",
"https://bhive.nectar.social/rKvoMY",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference",
"http://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"w32.virut.cf \u2022 win32.virut.am \u2022 virut.cf \u2022 http://w32.virut.cf \u2022http://w32.virut.cf/ \u2022 https://w32.virut.cf",
"Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
"Targeting Candace Owens",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"167-16-68-38-static.reverse.queryfoundry.net",
"ELF:Agent-AQB\\ [Trj]",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"mastodon.social",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe",
"div>
",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"Antivirus Detections: Win.Malware.Pits-10035540-0",
"drive.google.com/",
"Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf",
"Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com",
"Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com \u2022\u2019survey-smiles.com",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"8-25-220-162-static.reverse.queryfoundry.net",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e",
"Yara Detections RansomWin32Stampado , TrojanWin32Genkrypet",
"http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html",
"TAGS: pyspark python python initiated quic ransom recipes record value redacted for",
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"foundry.com \u2022 helix. com",
"TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push",
"https://hybrid-analysis.com/sample/64e591d43f920a5194806bba9da40e0344db5333cd773da4df4f27259222529d/692a7e373e637b291e0a0957",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"Alerts: suspicious_tld queries_computer_name dynamic_function_loading",
"ipv4bot.whatismyipaddress.com",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"Tucker Carlson : palander.stjernstrom.se \u2022 containers-chupalla.palantirfedstart.com",
"TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161",
"https://m.bigwetbutts.com/ tmi",
"https://feedback.ptv.vic.gov.au/360",
"IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access ",
"ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,",
"Yara: Detections Delphi",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"154-143-182-107-static.reverse.queryfoundry.net",
"Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H",
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"https://www.vgt.pl/favicon.ico",
"Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"https://t.me/",
"It seems as Palantir has taken over as Commander & Chief and US government infrastructure.",
"More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de",
"Yara Detections: LZMA",
"IP\u2019s Contacted 2530 IP\u2019s Contacted 1.0.0.1 1.0.0.10 1.0.0.100 1.0.0.101 1.0.0.102 | Domains Contacted: 9654s.com",
"https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022",
"IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan",
"IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://palapa.c.id\t (c.id)",
"http://videolal.com/tsara-brashears-dead.html",
"Services : GoogleChromeElevationService = Delete",
"Fastly Error and Palantir blocked several times over the last few months.",
"181-135-182-107-static.reverse.queryfoundry.net",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"Yara Detections: is__elf , ECHOBOT",
"IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80",
"http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt",
"Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"queryfoundry.net",
"https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d",
"https://forms.sonymusicfans.com/campaign/all \u2022 https://forms.sonymusicfans.com/campaign/mmph/",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud",
"TCP SYN packets were observed",
"Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name",
"Antivirus Detections: Trojan:Win32/Dorv.A",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"IDS Detections: Suspicious Activity potential UPnProxy",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"Requires further research.",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://unicef.se/assets/apple",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"https://brand2.centurylinktechnology.com",
"https://www.anyxxxtube.net/search-porn/",
"IDS Detections: Domain (whatismyipaddress .com in HTTP Host)",
"Tucker Carlson Pulse : https://otx.alienvault.com/pulse/68c73fbd85dfbb4d41006ad1",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"https://eurotarget.com/it/auto/toyota/c-hr/",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"mycvsvet.co.uk - Team Blue Internet Services UK Limited",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"CloudFlare IP\u2019s: 104.18.36.237 ,104.18.37.237",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att",
"TAGS: detection detections detections name development att direct dirty dns resolutions domain",
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"URL http://url8878.e.sonymusicfans.com/ls/click \u2022 https://forms.sonymusicfans.com/campaign/all",
"push.apple.com \u2022 emails.redvue.com \u2022 apple-dns.net \u2022 57.122.151.130 \u2022 https://teja8.kuikr.com/i6/20181130/Apple",
"Yara Detections: Nullsoft_NSIS ...",
"http://www.tryporn.net/seach/tsara-brashears/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"Brian Sabey",
"There has been an unsettling uptick in physical violence against one Colorado targets family.",
"Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"https://www.xvxx.me/search/tsara-brashears/",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com",
"Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"Alerts: dead_host network_icmp tcp_by",
"Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key",
"HTTPS://BeeLineRouter.Net",
"MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex",
"http://213.209.143.24/ppc \u2022 http://213.209.143.24/rep.i486 \u2022 http://213.209.143.24/rep.sh4",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"https://otx.alienvault.com/indicator/ip/3.163.24.10",
"Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9",
"https://research.checkpoint.com/2026/silver-dragon-targets-organizations-in-southeast-asia-and-europe/",
"Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.",
"Win32/Tofsee.AX google.com connectivity check",
"https://palantir-staging.staging.candidate.app.paulsjob.ai/",
"Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"Domain Targeted: https://candaceowens.com/",
"http://spiritzuridgerunelahubcloudgusparkx.rest/",
"apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"https://youjizz.sex/tsara-brashears.html",
"https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary",
"https://families.google/intl/pt-PT_ALL/familylink/",
"Has been present throughout a specific campaign",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022",
"Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf",
"Detections ET MALWARE PPI User-Agent (InstallCapital)",
"https://www.redpacketsecurity.com/cve_alert_cve-2025-4135/",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"Antivirus Detections: Unix.Trojan.Mirai-10028259-0 | Mirai (ELF) Mirai (Windows",
"EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"https://image.emails.sonymusicfans.com/lib/fe9412747566057a72/m/1/b381d305-8e17-49be-bc99-e5fab3a7cd17.gif",
"Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile",
"It appears there are 5-7 known affected that I was able to find",
"Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates",
"TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"Tulach - 114.114.114.114",
"Domains Contacted microsoft.com microsoft-com.mail.protection.outlook.com yahoo.com mta7.am0.yahoodns.net google.com",
"IDS Detections : Win32/AdWare.ICLoader Variant Checkin Suspicious (Virtool:Win32/Obfuscator.AOY)",
"cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"CS IDS: Matches rule (http_inspect) invalid status line",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"https://elegantcosmedampyeah.pages.dev/",
"ET WORM TheMoon.linksys.router",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.redpacketsecurity.com/cve-alert-cve-2025-59230-microsoft-windows-10-version-1809/",
"https://www.lumen.com/en-us/contact-us.html",
"TAGS: yara niggercat none file null object os x outbound passive dns path pattern match",
"sonymusicfans.com \u2022 forms.sonymusicfans.com \u2022 image.emails.sonymusicfans.com \u2022 url8878.e.sonymusicfans.com",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"Domains Contacted : kiss.oatmealscene.loan \u2022 won.channeltest.bid",
"TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater",
"External Hosts: 52.57.183.74\t access.pcspeedcat.com\taccess.pcspeedcat.com\tGermany\tAS16509 amazon.com inc\taccess.pcspeedcat.com Germany AS16509 amazon.",
"http://orangeporntube.net/tsara-brashears.html",
"Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey",
"9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB",
"Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx",
"ELF:Agent-AQB\\ [Trj] IDS Detections: Potential SSH Scan Potential SSH Scan OUTBOUND",
"Malicious Application Development: herokuappdev.com (Patter match 8 years +)",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"http://213.209.143.24/x32 \u2022 https://250-mail.simswap.in \u2022 https://mail.simswap.in",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections",
"Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP",
"Yara Detections: UPX Alerts injection_inter_process cape_extracted_content",
"TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey",
"IP\u2019s Contacted: 16.85.50.206 215.160.125.18 40.71.227.8 57.122.151.130",
"https://www.redpacketsecurity.com/cve_alert_cve-2025-45492/",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png",
"https://mobile-pocket-guide.centurylinktechnology.com",
"IP\u2019s Contacted: 2.23.173.27 2.23.173.19 34.199.131.241 34.247.72.3 52.19.228.126 104.19.178.52",
"IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query",
"HTTP traffic on port 443 (POST)",
"Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
"Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
"www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"Installer Pulse coming soon. It\u2019s probably already posted. Will locate.",
"Phishing: https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav/",
"pcup.gov.ph:",
"Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"Emotet IDS Detections: Win32/Emotet CnC Checkin Response",
"Interesting relationships: LummaC2 , Mirai Botnet , Sony Music Group , Apple",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://url8878.e.sonymusicfans.com/ \u2022 http://url8878.e.sonymusicfans.com/ls/click",
"Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"https://brand.centurylinktechnology.com",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"http://kittler.ru/arm5 \u2022 http://kittler.ru/mpsl \u2022 http://thekittler.ru/rep.arm7",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"Alerts: nolookup_communication writes_to_stdout",
"https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9",
"http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"Cloudflare URL: https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js",
"IDS Detections: tofsee",
"IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup",
"https://forms.sonymusicfans.com/wp-content/plugins/smf-core/assets/css/campaign_333c4e8b19a72989caf8.css",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"IP\u2019s Contacted: 94.100.180.31 142.251.9.27 98.136.96.91 43.231.4.7 52.101.8.42",
"TAGS: sample analysis se domains search security quic add source level span spawns spy",
"https://otx.alienvault.com/indicator/file/b57042ed9a7d7dbe1f7c7f32de74d2b367ee835d",
"remotewd.com device local",
"https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"helloprismatic.com",
"Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
"https://l.us-1.a.mimecastprotect.com/l",
"cat-are-here.ru",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"External Hosts: 3.163.24.10\t www.pcspeedcat.com\twww.pcspeedcat.com\tUnited States ASNone",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com",
"http://kittler.ru/rep.sh4 \u2022 http://kittler.ru/x32 \u2022 http://cats-master.ru/x86_64",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"Alerts antivm_generic_services persistence_ads anomalous_deletefile Idead_connect",
"https://mom2fuck.mobi/tsara-brashears.html",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://appleid.xn--appe-70a.com/",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"237-189-251-104-static.reverse.queryfoundry.net",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"Malicious Application Development: herokuappdev.com (pattern matching spans 8+ years)",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
"Cart.Guru",
"IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS",
"https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY",
"http://vgt.pl/r.n%20-",
"TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec",
"Yara Detections: Delphi",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co",
"https://otx.alienvault.com/indicator/url/https://pegasus.pahamify.com/",
"It\u2019s not illegal to research , examine results, report , share or warn.",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.redpacketsecurity.com/cve_alert_cve-2025-4142/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"http://www.bukaporn.net/trend/tsara-brashears/",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"biblegateway.comwww.biblegateway.com \u2022 www.biblegateway.com",
"hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location",
"Yara Detections: UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser ,",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://otx.alienvault.com/indicator/file/aeb3d5ec1d144a7b2d51bdb603c052fd52700defb1b039491c4df3f32ece517a",
"registrant in its WHOIS record, often due to regulations like GDPR or ICANN policies.",
"ASP. NET",
"Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http",
"67-228-69-38-static.reverse.queryfoundry.net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com",
"http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022",
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"Statutory Masking Enabled - a domain registrar is hiding the public contact information for a domains",
"Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"https://alohatube.xyz/search/tsara-brashearsL",
"Lumen Technologies",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"https://otx.alienvault.com/indicator/domain/cat-are-here.ru",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl",
"CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org",
"Amnesty.org | remote.amnesty.org",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs",
"https://cpcontacts.apple4you.it",
"Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users",
"http://www.anyxxxtube/",
"UPX_OEP_place",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination",
"TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"All Domains Contacted: thekittler.ru newkittler.ru cats-master.ru",
"Same legal , and quasi governmental pattern identified",
"http://tracking-sa3.account.riyadhair.com/tracking/1/open/UGnB4w8RQiQ_9PYty4S-rwBmOetPQw3ubFHSNKg_IdhZfkaCbjqN3pnR4Xwk6pQcRBqF2aoq0uEaKMM4CX1kTpZsAD10-fxAPEgqGzJ2o7BJmsh_G2B6P-m_Xqc_LOycbcGBss0kXIEJvMGRw2SMITzqmVnh1yI_FuZV37qgGHZG3lP1V-WMaNTc8FYNIcgSRyTFamC5k3I1LkpsmTgX5Dd20Ko3IxUqFRC74clpVo-uFwRAb1Q1gSfKrDBX6_LaXkgv9gfyPy7L2BKxAmFBe-Ump3D_wGRDTXekPO5VZJ46hn0pUrOy2g8606kgb703eJVnmrz0cgCd-8P1dOdfoOFrSqOuXzfDNCaUU-2xl1aHVjGCZGIWX6B4bYqznMqsvI8UxoitF5tZTZ3opRhymDkrsItHdJPUnzkc6N_Z370RVT54BihKCohH14lIRQVQN9v74E",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"https://hallrender.com/attorney/brian-sabey",
"Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"https://forms.sonymusicfans.com/campaign/cannons-all-i-need-pre-add-pre-save/",
"http://beelinerouter.net/",
"Alerts: dead_host known_hosts_conn network_icmp tcp_syn_scan osquery_detection",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"cedevice.io \u2022 decagonsoftware.com",
"https://pamchall.com/Telegram@V2ray_Alpha/",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"Christopher P. \u2018Buzz\u2019 Ahmann",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"https://www.fidelity.com/ https://www.fidelity.com/",
"https://view.emails.sonymusicfans.com/Error.aspx",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335",
"https://fs25.mygamesteam.com/download/underground-parking/",
"https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :",
"Delphi This program must be run under Win32 Compilers",
"IP\u2019s Contacted: 32.227.223.238 107.74.143.88 69.196.71.159 96.16.197.80 101.80.61.229 125.101.205.34",
"http://195-214-98-172-static.reverse.queryfoundry.net/",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"https://www.idvd.eu/?cid=oas-japac-domains-applestore.com.cn/90.i.lolik.anyciona.patrolita.casse.897866 \u2022 oas-japac-domains-applestore.com.cn",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"Malware : ClipBanker Entity: Crazy Frost",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
"Domains Contacted api.nuget.org",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"genealogytrails.com",
"https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a",
"jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
"http://watchhers.net/index.php",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashear",
"FileHash-SHA256\t9f66cab9d7c581cf2dd28b6ae3178bb3d38975ff257c3ffb67c3e89d0f7135ee",
"https://account.helix.com/activate/start",
"Brian Sabey , Christopher P. Ahmann , State of Colorado who",
"https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram",
"Mirai: simswap.in",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube"
],
"related": {
"alienvault": {
"adversary": [
"Silver Dragon"
],
"malware_families": [
"Cobalt strike - s0154",
"Sshcmd",
"Geardoor",
"Silverscreen"
],
"industries": [
"Government"
]
},
"other": {
"adversary": [
"Crazy Frost",
"Palantir Pegasus",
"Coinbase Cartel",
"Gentlemen Ransomware, Ruby Jumper, Moonrise RAT, Dust Specter, NoEscape, Ransom House, Steaelite"
],
"malware_families": [
"Win.packed.usteal-7531303-0",
"Win32:agent",
"Cve-2025-45492",
"#lowfi:win32/sandboxproductid",
"Unix.trojan.mirai-7646352-0",
"Trojandownloader:win32/cutwail",
"Shellcode",
"Worm:win32/autorun",
"Pykspa.c",
"#lowfienabledtcontinueafterunpacking",
"Cve-2023-2868",
"Trojan:bat/musecador",
"Win32:rootkit",
": alf:trojan:msil/azorult.ac!",
"Et",
"Trojan:win32/neconyd.a",
"Win32:malware",
"Deathhiddentear (large&small ht) >",
"Alf:trojan:win32/cryptwrapper.rt!mtb",
"Virtool:win32/obfuscator.ahu",
"Win.dropper.qqpass-7194329-0",
"#lowfi:lua:dllsuspiciousexport.a",
"Win32:trojanx-gen\\ [trj]",
"Ransom:win32/wannacrypt.h",
"Virtool:win32/obfuscator",
"#virtool:win32/obfuscator.adb",
"Win.virus.virlock-6804475-0",
"Trojan:win32/zombie.a",
"Trojan:pdf/phish.rr!mtb",
"Trojan:msil/ranos.a",
"Win32:evo-gen\\ [susp]",
"Ransom:win32/gandcrab",
"Win.packed.generic-9795615-0\t.",
"Trojan:msil/ursu.kp",
"Trojan:win32/dorv.a",
"Win.malware.reline-9887776-0",
"Win.trojan.vundo-7170412-0",
"Cve-2025-59230",
"Tr",
"Simda",
"Win.malware.urelas-9863836-0",
"Unix.trojan.mirai-7135937-0",
"Trojan:win32/ausiv!rfn",
"Win.malware.vmprotect-9880726-0",
"Mirai",
"Trojan:win32/qqpass",
"Pegasus - mob-s0005",
"Mydoom",
"Virut",
"Icedid",
"Ransomware",
"Win.trojan.generic-9801687-0",
"Backdoor:win32/drixed",
"Backdoor:linux/mirai.n!mtb",
"Virtool:win32/injector.gen!bq",
"Multiple malware\u2019s , trojans and rats",
"Cve-2025-4135",
"Cve-2025-4140",
"Win32:backdoor",
"Virtool:win32/injector.cl",
"#lowfi:hstr:virtool:win32/gendecnryptalgo.s02",
"Backdoor:win32/tofsee.t",
"4-0 win.malware.pits-10035540-0",
"Ms defender\talf:heraklezeval:trojan:win32/clipbanker",
"Cve-2025-11727",
"Jaik",
"Alf:heraklezeval:trojan:msil/gravityrat!rfn",
"Win.malware.delf-10008156-0",
"Win.packed.msilperseus-9956592-0",
"Win.malware.bzub-6727003-0",
"Backdoor:win32/small.ir",
"Trojan:win32/smkldr.h!mtb",
"Alf:hacktool:msil/heartsender.a",
"Hacktool",
"Zbot",
"Win.downloader.92-4",
"Elf:agent-aqb\\ [trj]",
"Win.packer.pkr_ce1a-9980177-0",
"Exploit:win32/cve-2017-0147",
"Virtool:msil/injector.bf",
"Unix.trojan.gafgyt-6981160-0",
"Win.trojan.emotet-7545664-0",
"Trojan:win32/emotet.yl",
"Virtool:win32/vbinject.gen!jb",
"Trojan:msil/clipbanker",
"Worm:win32/fadok!rfn",
"Vb flash",
"Alf:backdoor:msil/noancooe.ka",
"Trojan.mydoom/muldrop",
"Rozena",
"Alf:heraklezeval:trojan:win32/eqtonex.f",
"Nid",
"Trojan:win32/miner.ka!mtb",
"Cve-2015-4495",
"Exploit:js/cve-2014-0322",
"Worm:win32/lightmoon.h",
"Win.trojan.vb-83922",
"Dnstrojan",
"Alf:trojan:msil/blackfus.c",
"Win.packed.razy-6847895-0",
"Trojan:win32/conbea!rfn",
"Alf:jasyp:trojan:win32/ircbot!atmn",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Trojan:win32/qshell",
"Trojan.tofsee/botx",
"Unix.trojan.gafgyt-698115",
"Trojandropper:win32/qhost",
"Win.ransomware.wanna-9769986-0",
"Trojan:win32/bagsu!rfn",
"Elf:ddos-s\\ [trj]",
"Win.ransomware.bitman-9862733-0",
"Target saver",
"Trojan.disfa/downloader10",
"Exploit:linux/cve-2017-17215",
"Tofsee attack",
"Trojan:win32/mydoom",
"Win.trojan.dcrat-10039889-0",
"Virtool:win32/injector",
"Trojanproxy:win32/ceutv.a",
"Nids",
"Win.virus.expiro",
"Win.trojan.generic-6417450-0",
"#lowfi:suspicioussectionname",
"Pegasus",
"Win64:trojan-gen",
"Backdoor:win32/plugx.n!",
"Backdoor:msil/bladabindi.aj",
"Unix.trojan.mirai-10028259-0",
"Win.malware.generic-9871124-0",
"Alfper:installcapital",
"Cve-2025-4142",
"Artro",
"Win.spyware.88778-2",
"Worm:win32/benjamin",
"Mirai (windows)",
"Virtool:win32/obfuscator.aoy",
"Win.malware.speedcat-6957425",
"Trojan:win32/floxif.e",
"Pws:win32/qqpass.fc",
"Backdoor:msil/bladabindi.aj gc!",
"Trojan:win32/zusy",
"Gandcrab ransomware",
"Eternalrocks",
"Cve-2024-12847",
"Pony",
"Alf:heraklezeval:trojan:msil/gravityrat",
"Win.dropper.njrat-10015886-0",
"Win.trojan.agent",
"Pws:win32/axespec.a",
"Spyfu",
"Rxr",
"Alf:heraklezeval:trojan:win32/amsitamper.b",
"Trojanspy:win32/nivdort",
"Ransom:win32/blocker.nn!mtb",
"Mirai (elf)",
"Win.trojan.agent-31853",
"Win.trojan.fugrafa-9733007-0",
"Other malware",
"Tofsee",
"Win32:malob-bx\\ [cryp]",
"Trojanspy",
"Win.packed.generic-9795615-0",
"Win.packed.fecn-7077459-0",
"Ddos:linux/gafgyt.ya!mtb"
],
"industries": [
"Civil society",
"Government",
"Insurance",
"Telecommunications",
"Education",
"Technology",
"Telecom",
"Finance",
"Healthcare",
"Legal",
"Defense",
"Media"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69a73e8545dc6a32312482a1",
"name": "Silver Dragon Targets Organizations in Southeast Asia and Europe",
"description": "Check Point Research has identified a Chinese-nexus advanced persistent threat group named Silver Dragon, targeting organizations in Southeast Asia and Europe since mid-2024. The group, likely operating under APT41, exploits public-facing servers and uses phishing emails for initial access. They deploy custom tools including GearDoor, a backdoor using Google Drive for command and control, SSHcmd for remote access, and SilverScreen for covert screen monitoring. Silver Dragon primarily focuses on government entities, utilizing Cobalt Strike beacons and DNS tunneling for communication. The group's sophisticated tactics and evolving toolkit demonstrate a well-resourced and adaptable threat actor.",
"modified": "2026-03-04T11:07:57.364000",
"created": "2026-03-03T20:03:17.234000",
"tags": [
"apt",
"southeast asia",
"chinese",
"silverscreen",
"geardoor",
"dns tunneling",
"cobalt strike",
"government",
"sshcmd"
],
"references": [
"https://research.checkpoint.com/2026/silver-dragon-targets-organizations-in-southeast-asia-and-europe/"
],
"public": 1,
"adversary": "Silver Dragon",
"targeted_countries": [],
"malware_families": [
{
"id": "GearDoor",
"display_name": "GearDoor",
"target": null
},
{
"id": "SilverScreen",
"display_name": "SilverScreen",
"target": null
},
{
"id": "SSHcmd",
"display_name": "SSHcmd",
"target": null
},
{
"id": "Cobalt Strike - S0154",
"display_name": "Cobalt Strike - S0154",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1021.004",
"name": "SSH",
"display_name": "T1021.004 - SSH"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1078",
"name": "Valid Accounts",
"display_name": "T1078 - Valid Accounts"
},
{
"id": "T1102.002",
"name": "Bidirectional Communication",
"display_name": "T1102.002 - Bidirectional Communication"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1059.003",
"name": "Windows Command Shell",
"display_name": "T1059.003 - Windows Command Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "AlienVault",
"id": "2",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png",
"is_subscribed": true,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 1,
"FileHash-SHA256": 31,
"domain": 12,
"hostname": 3
},
"indicator_count": 49,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 377485,
"modified_text": "45 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bbb27ef79369f1b24cd171",
"name": "EbeeMar2026 Pt2",
"description": "Multiple APT/threat actors, Malware and Campaigns",
"modified": "2026-04-18T08:06:12.483000",
"created": "2026-03-19T08:23:26.711000",
"tags": [
"filehashsha256",
"filehashsha1",
"filehashmd5",
"bitcoinaddress"
],
"references": [
"IOCs.2026.2.csv"
],
"public": 1,
"adversary": "Gentlemen Ransomware, Ruby Jumper, Moonrise RAT, Dust Specter, NoEscape, Ransom House, Steaelite",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "IMEBEEIMFINE",
"id": "343873",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 93,
"FileHash-MD5": 157,
"FileHash-SHA1": 150,
"FileHash-SHA256": 268,
"CVE": 5,
"domain": 135,
"email": 1,
"hostname": 42
},
"indicator_count": 851,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 37,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a3c685d4b7c139ffe62930",
"name": "Clone Pulse Reference",
"description": "",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-03-01T04:54:29.384000",
"tags": [
"ipv4",
"active related",
"trojandropper",
"mtb jun",
"lowfi",
"trojan",
"mtb jan",
"fastly error",
"please",
"united",
"ttl value",
"get na",
"total",
"delete",
"search",
"yara detections",
"sinkhole cookie",
"value snkz",
"write",
"suspicious",
"ransom",
"malware",
"Ransom.Win32.Birele.gsg Checkin",
"AnubisNetworks Sinkhole Cookie Value Snkz",
"Possible Compromised Host",
"dynamicloader",
"delete c",
"default",
"medium",
"write c",
"settingswpad",
"intel",
"ms windows",
"users",
"number",
"title",
"installer",
"top source",
"top destination",
"source source",
"port",
"filehash",
"av detections",
"ids detections",
"yara rule",
"gravityrat",
"detectvm",
"x00 x00",
"x00x00",
"doviacmd",
"rootjob",
"getfiles",
"updateserver",
"ethernetid",
"ids signatures",
"exploits",
"sid name",
"malware cve",
"dns query",
"dnsbin demo",
"data exfil",
"exif data",
"DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr",
"DNSBin Demo (requestbin .net) - Data Exfitration",
"source port",
"destination",
"present sep",
"script urls",
"script script",
"a domains",
"script domains",
"ip address",
"meta",
"present nov",
"passive dns",
"next associated",
"domain add",
"pe executable",
"entries",
"show",
"msie",
"windows nt",
"wow64",
"copy",
"present jan",
"present feb",
"domain",
"pulse pulses",
"urls",
"files",
"tam legal",
"christopher ahmann",
"https://unicef.se/assets/apple",
"treece alfrey",
"hours ago",
"information",
"report spam",
"ahmann colorado",
"state",
"special cousel",
"created",
"expiro",
"capture"
],
"references": [
"Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN",
"Fastly Error and Palantir blocked several times over the last few months.",
"Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)",
"IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.",
"Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN",
"Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT",
"Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName",
"Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage",
"https://unicef.se/assets/apple"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Neconyd.A",
"display_name": "Trojan:Win32/Neconyd.A",
"target": "/malware/Trojan:Win32/Neconyd.A"
},
{
"id": "PWS:Win32/QQpass.FC",
"display_name": "PWS:Win32/QQpass.FC",
"target": "/malware/PWS:Win32/QQpass.FC"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Malware.Urelas-9863836-0",
"display_name": "Win.Malware.Urelas-9863836-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Win.Trojan.Vundo-7170412-0",
"display_name": "Win.Trojan.Vundo-7170412-0",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Multiple Malware\u2019s , Trojans and Rats",
"display_name": "Multiple Malware\u2019s , Trojans and Rats",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6906bd99cadbd4140014c6af",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 909,
"domain": 454,
"hostname": 1404,
"URL": 3557,
"CIDR": 1,
"FileHash-MD5": 242,
"FileHash-SHA1": 185,
"email": 1,
"CVE": 1
},
"indicator_count": 6754,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ca31b28c2fa3e734bf5000",
"name": "instagram staged credit clone a vashti :(",
"description": "",
"modified": "2026-03-31T12:16:21.521000",
"created": "2026-03-30T08:17:54.205000",
"tags": [
"dynamicloader",
"port",
"destination",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"loaderid",
"write",
"stream",
"malware",
"systemroot",
"write c",
"displayname",
"windows",
"trojan",
"defender",
"unknown",
"less see",
"all ip",
"contacted",
"less related",
"meta",
"emotet",
"backdoor",
"packer",
"many",
"hall render",
"brian sabey",
"christopher p. ahmann",
"state of colorado",
"google",
"yahoo",
"microsoft",
"stealth window",
"reads_self",
"injection write process",
"remote",
"remote process",
"dynamic function loading",
"compromises device",
"dead connect",
"dynamic loader",
"command",
"cnc",
"sleep sandbox",
"iocontrol",
"behavior tofsee",
"suspicious code",
"injection",
"persistence",
"rootkit",
"social media",
"belgium belgium",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"network traffic",
"t1071",
"spawns",
"html content",
"href",
"general",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"development att",
"tracking"
],
"references": [
"Instagram.com",
"IDS Detections: tofsee",
"Alerts antivm_generic_services persistence_ads anomalous_deletefile Idead_connect",
"Alerts: suspicious_tld queries_computer_name dynamic_function_loading",
"Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
"IP\u2019s Contacted: 94.100.180.31 142.251.9.27 98.136.96.91 43.231.4.7 52.101.8.42",
"Domains Contacted microsoft.com microsoft-com.mail.protection.outlook.com yahoo.com mta7.am0.yahoodns.net google.com",
"Brian Sabey , Christopher P. Ahmann , State of Colorado who",
"http://tracking-sa3.account.riyadhair.com/tracking/1/open/UGnB4w8RQiQ_9PYty4S-rwBmOetPQw3ubFHSNKg_IdhZfkaCbjqN3pnR4Xwk6pQcRBqF2aoq0uEaKMM4CX1kTpZsAD10-fxAPEgqGzJ2o7BJmsh_G2B6P-m_Xqc_LOycbcGBss0kXIEJvMGRw2SMITzqmVnh1yI_FuZV37qgGHZG3lP1V-WMaNTc8FYNIcgSRyTFamC5k3I1LkpsmTgX5Dd20Ko3IxUqFRC74clpVo-uFwRAb1Q1gSfKrDBX6_LaXkgv9gfyPy7L2BKxAmFBe-Ump3D_wGRDTXekPO5VZJ46hn0pUrOy2g8606kgb703eJVnmrz0cgCd-8P1dOdfoOFrSqOuXzfDNCaUU-2xl1aHVjGCZGIWX6B4bYqznMqsvI8UxoitF5tZTZ3opRhymDkrsItHdJPUnzkc6N_Z370RVT54BihKCohH14lIRQVQN9v74E",
"Looks like a Pegasus tracking sphere. All contacts and contacts, contacts tracked."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Emotet.YL",
"display_name": "Trojan:Win32/Emotet.YL",
"target": "/malware/Trojan:Win32/Emotet.YL"
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6949b6d8180bca3df9783578",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 911,
"domain": 178,
"hostname": 206,
"FileHash-SHA256": 647,
"FileHash-MD5": 38,
"FileHash-SHA1": 28
},
"indicator_count": 2008,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698ef344417f9985660e698b",
"name": "Pulse Data",
"description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.",
"modified": "2026-03-28T07:23:23.210000",
"created": "2026-02-13T09:47:48.788000",
"tags": [
"imphash",
"file type",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections tls",
"zeppelin"
],
"references": [
"",
"4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access "
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 646,
"FileHash-SHA1": 604,
"FileHash-SHA256": 1373,
"hostname": 1143,
"domain": 1381,
"URL": 2537,
"CVE": 101,
"email": 25,
"SSLCertFingerprint": 9
},
"indicator_count": 7819,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e906da16336f8e87c3b90",
"name": "CoinHive Clone ",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-13T02:46:05.544000",
"tags": [
"united",
"td tr",
"a domains",
"history group",
"state",
"b td",
"present sep",
"find",
"alabama",
"iowa",
"apache",
"content type",
"passive dns",
"meta http",
"content",
"gmt server",
"pragma",
"title",
"linksys eseries",
"device rce",
"inbound",
"et exploit",
"attempt",
"et webserver",
"suspicious user",
"user agent",
"et worm",
"policy python",
"python",
"agent",
"generic",
"malware",
"nids",
"dst_ip",
"\"sid\": 2017515,",
"2020/08/23",
"dst_port\": 8080",
"suricata",
"network_icmp",
"tcp_syn_scan",
"unix",
"mirai",
"infection",
"port 8080",
"aitm",
"mitm",
"xfinity",
"lumen backbone",
"xfinity cf",
"et info",
"useragent",
"webserver",
"android",
"linux",
"statistically stripped",
"local",
"Jefferson County",
"Colorado",
"State",
"is__elf",
"is__war",
"cyber warfare",
"marking",
"targeting",
"stalking",
"impersonating",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"initial access",
"defense evasion",
"mitre att",
"ck matrix",
"february",
"hybrid",
"general",
"path",
"encrypt",
"click",
"strings",
"attack",
"ssl certificate",
"ascii text",
"dynamicloader",
"yara rule",
"ff d5",
"medium",
"high",
"eb d8",
"f0 ff",
"ff bb",
"host",
"unknown",
"explorer",
"virtool",
"write",
"next",
"Douglas County",
"Michael Roberts",
"Brian Sabey",
"Chris\u2019Buzz\u2019 Ahmann",
"Mirai BotMaster",
"file type",
"pexe",
"pe32",
"intel",
"ms windows",
"date march",
"am size",
"imphash",
"otx logo",
"all filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"moved",
"urls",
"expiration date",
"all hostname",
"files",
"media",
"present feb",
"present jan",
"present dec",
"present nov",
"ip address",
"present",
"codex",
"sf.net",
"next associated",
"ipv4 add",
"location united",
"america flag",
"spawns",
"found",
"t1480 execution",
"pattern match",
"present aug",
"search",
"name servers",
"showing",
"record value",
"meta",
"accept",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"denver",
"yandex",
"post",
"entries",
"post http",
"show",
"post liquor",
"execution",
"port",
"destination",
"icmp traffic",
"dns query",
"include",
"top source"
],
"references": [
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"genealogytrails.com",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"Has been present throughout a specific campaign",
"Mirai",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"TCP SYN packets were observed",
"ET WORM TheMoon.linksys.router",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7646352-0",
"display_name": "Unix.Trojan.Mirai-7646352-0",
"target": null
},
{
"id": "SpyFu",
"display_name": "SpyFu",
"target": null
},
{
"id": "Win.Trojan.VB-83922",
"display_name": "Win.Trojan.VB-83922",
"target": null
},
{
"id": "virtool:Win32/VBInject.gen!JB",
"display_name": "virtool:Win32/VBInject.gen!JB",
"target": "/malware/virtool:Win32/VBInject.gen!JB"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "698966742c9fd9691396bb3a",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5836,
"domain": 857,
"FileHash-MD5": 185,
"FileHash-SHA1": 147,
"hostname": 1842,
"email": 7,
"FileHash-SHA256": 947,
"CVE": 43,
"SSLCertFingerprint": 8
},
"indicator_count": 9872,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b49ad5dd40a24d83cd6a72",
"name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-03-13T23:16:37.716000",
"created": "2026-03-13T23:16:37.716000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69631fbd16e306ee2b76c4da",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b496396ca4987e95ad37d1",
"name": "Chris Buzz by QVashni (wow)",
"description": "",
"modified": "2026-03-13T22:56:57.314000",
"created": "2026-03-13T22:56:57.314000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69482caa00d327da8f0a87bc",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b49587dd104e342dda1628",
"name": "C Ahman Attorney Clone by Top Tier, Q.Vashti",
"description": "",
"modified": "2026-03-13T22:53:59.112000",
"created": "2026-03-13T22:53:59.112000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "copilot-cloud.net",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "copilot-cloud.net",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776591990.2949095
}